What is Really Happening with MegaCortex

Christopher Del Fierro/IBM X-Force IRIS

MegaCortex Ransomware was all over the cybersecurity news last month of May 2019. But according to Sophos, MegaCortex was already around and was submitted to VirusTotal sometime in January 2019. MegaCortex is a ransomware that uses both automated and manual components to infect victims. It is believed that MegaCortex targets corporate networks who were previously infected with Emotet/Qakbot, thereby gaining access to Administrator accounts and subsequently backdoor access. With a backdoor open, threat actors can freely push and execute MegaCortex and its components using a batch file.

What we know so far about MegaCortex is that it needs a base64 encoded key as an argument and it must be executed within a specific date and a 3-hour time window to properly continue to its ransomware payload. With its unconventional execution conditions and distribution method, threat actors are making sure that MegaCortex will not be easily cracked and reversed by malware analysts.

Up to date, no one has yet to publish a complete technical breakdown of MegaCortex from a reverse engineer’s stand point. This research details a great discovery about MegaCortex and discusses features what other researchers may have missed -- demystifying how it “really” works. For example, other technical reports mention MegaCortex only uses one DLL as component, but in fact, it is two! The second DLL component will be discussed to breakdown the process of the said ransomware once and for all. For all we know, MegaCortex might shape the future of ransomware.

November 8 at 11:20 - 11:40, Stage B

Christopher Del Fierro, MALWARE REVERSE ENGINEER Christopher Del Fierro, “Topet”, -- with more than 15 years of experience in Information Security Industry -- is a Malware Reverse Engineer in IBM Security X-Force IRIS, where Topet provides malware analysis support to incident response engagements and intelligence research teams. Topet’s core competency is performing in-depth malware analysis of different file types, development of proactive/heuristic detections to detect future variants as well as development of remediation and clean up tools. He also has experience in developing various tools and projects for malware detection and false positive automations processes. Believe it or not, Topet is known to be the “silent-type” among his peers but that doesn’t stop him from enjoying blogging, public speaking and promoting cybersecurity awareness to different universities in the Philippines.