what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Ransom.REvil MVID-2022-0596 Code Execution https://packetstormsecurity.com/files/167152/MVID-2022-0596.txt https://packetstormsecurity.com/files/167152/MVID-2022-0596.txt https://packetstormsecurity.com/files/167152/Ransom.REvil-MVID-2022-0596-Code-Execution.html Thu, 12 May 2022 15:41:06 GMT REvil ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's flaw does the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.

Related Files

No related files
packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close