Hermes ransomware spreads via Flash zero-day vulnerability

by Ugnius Kiguolis - -

Flash Player flaw helped hackers to spread Hermes ransomware

Hermes ransomware deployed

Hermes 2.1 ransomware virus[1] has been noticed spreading via malicious spam emails that included infected Microsoft Office documents. Criminals launched targeted attack which exploited zero-day[2] vulnerability in Flash Player 28.0.0.137 version which was reported earlier this year.

South Korean Emergency Response Team (KrCERT) reported[3] about this flaw (CVE-2018-4878) at the end of January. Therefore, malware creators took advantage of such news and decided to use it for ransomware’s distribution.

On the 27th of March 2018, researchers detected a variant of Hermes ransomware virus spreading via compromised Korean website. Security experts initially were looking for malicious JavaSrcript;[4] however, the code was embedded directly into main page’s source code.

Hermes malware threatens computer users since October 2017

Hermes virus was first detected in October 2017. Back then malware used a combination of AES and RSA cryptography and added .hermes file extension to the targeted files on the affected computer.

The creators of ransomware are linked to a North Korean hacker group called Lazarus. They were held responsible for Far Eastern International Bank (FEIB) hack[5] in Taiwan in October 2017. Cybercriminals attempted to wire as much as $60 million to banks in Cambodia, United States, and Sri Lanka.

However, the hacker group was not only stealing money from banks but continued updating their ransomware virus too. A couple of months later, when the original Hermes ransomware was released, hackers started distributing an updated version. In April 2017, malware researchers reported about Hermes 2.0 which was very similar to the first version of malware.

It seems that crooks were not satisfied with their second illegal ransom-demanding project too. Hence, they created one more version and stuck to it until 2018. Hermes 2.1 is the latest variant of the file-encrypting virus which currently targets users in South Korea with the help of previously mentioned GreenFlash Sundown Flash Player exploit kit.

Ways to protect yourself from ransomware and other attacks

Flash player is one of the most popular programs in the world. Unfortunately, it is full of flaws. Nevertheless, security vulnerabilities are being detected and fixed continuously; cyber criminals are aware of program's weaknesses. Numerous exploit kits are used to take advantage of Flash vulnerabilities to install ransomware like Hermes virus. 

Therefore, users are advised to keep Flash Player up-to-date. The best idea is to enable automatic updates. Hence, you won't be tricked by any pop-up appeared on the web that some updates are available for you. This hoax is widely used by criminals to trick users into installing malware on their machines. Additionally, if you do not use Flash, you should uninstall it to make the system less vulnerable to the attacks.

However, exploitation of software vulnerabilities is just one of the methods how computers can get affected. Another popular way to spread ransomware executables is malicious spam emails. Cybercriminals often employ social engineering to create phishing emails and convince users to open the attached file.

Typically, the spam email contains a convincing message and comes from a supposed influential person, like a bank representative or a diplomat. The author urges victim to open the attachment, which contains a macro-enabled file which helps to release the malicious payload. Hence, before opening such emails, you have to double-check the information about the sender, look up for grammar mistakes or credentials. 

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References