New ‘HavanaCrypt’ Ransomware Distributed as Fake Google Software Update
New stealthy OrBit malware steals data from Linux devices
July 13, 2022CEO Accused of Making Millions via Sale of Fake Cisco Devices
July 13, 2022
Summary:
Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application. Dubbed HavanaCrypt, the ransomware performs multiple anti-virtualization checks and uses a Microsoft web hosting service IP address for its command and control (C&C) server, which allows it to evade detection. During their analysis of HavanaCrypt, Trend Micro also discovered that it uses a namespace method function that queues a method for execution and that it employs the modules of an open-source password manager during encryption. Compiled in .NET and protected using the Obfuscar open-source obfuscator, HavanaCrypt hides its window after execution, then checks the AutoRun registry for a “GoogleUpdate” entry and continues with its routine if the registry is not found.
