Since last 5 years around a new ransomware campaign infected server users around the world as part of the hashtag called #OpJerusalem campaign. It’s updated ransomware which is written in “Go” which increases its analysis. The criminals have been concerned about protecting their code, however, the UPX packer can be easily overcome by allowing a more efficient threat analysis.
As per CyberArk research post, “OpIsrael is the name of an annually coordinated cyber-attack against the Israeli government and private websites created with the stated goal of “erasing Israel from the internet” in protest against the Israeli government’s conduct in the Israel-Palestine conflict. The most common vectors of attack are website defacements and denial-of-service (DoS), but there are also application attacks and data dumps. The main and most successful attack, which used Data Leakage and DoS against a good number of Israeli websites, was led by Anonymous on April 7th, 2013. Since then, this date has become the OpIsrael campaign date and every year a new campaign against Israeli websites is launched. The hackers usually create a public Facebook group where they provide tools and malware for use in the coming campaign. Since the attack in 2013, the number of participants and supporters is decreasing. This time, one month before the usual date of the campaign, a new attack took place targeting a private website.”
On 2nd March 2019, an Israeli website (nagish.co.il) was compromised with the following message: “OpJerusalem, Jerusalem is the capital of Palestine” and a malicious file was spread using the subdomains of this website. You can see the source here, which was published on GitHub and we can easily see a funny bug; the malware will never download because the printed message condition is wrong and always true.
Now, actually, this ransomware actually made to detect the client Operating System, their main task is to found the OS running on the client is Windows Based OS or something else.
As per Bleeping Computer research, the attackers modified the DNS record for a popular web accessibility plugin from “nagich.com” (an Israeli website). Whenever the visitor visit this website it utilizes a plugin, a malicious script would be loaded instead of the legitimate plugin.
Ethical Hacking Training, visit here.
As per Ido Naor, principle Security Researcher at Kaspersky Lab explained that “the attackers done a big mistake in code only, it showed the defacement rather than distributing the JCry ransomware infection.
The #OpJerusalem Attack Explained:
The malicious script shared by Naor, here we can see how the attack was intended, but ultimately failed, to be conducted.
The script would check the browser’s USER AGENT to determine if the visitor was running Windows based OS or not. If the variable was equal to the specific string “Windows”, the site would display a fake Adobe Update Message that is used to distribute the JCry Ransomware. Otherwise, a defacement page would be displayed.
If the end side the Windows is not running then we could see the below deface page
Now, if the code found that its Windows-based running system, so it pop-ups a fake Adobe Update, and file extensions look like this;
This file will download when the victim installs the Adobe Plugin.
We get two files Dec.exe and Enc.exe, now the user Execute the Enc.exe file we found that all the other file got encrypted into .jcry file extension. Have a sample here;
After the process finishes encrypting computer, the decryptor will automatically be launched wait for a decryption key to be entered.
Web Application Testing Training, visit here.
After that a short note you get named as JCRY_NOTE.html, which contains a victim’s unique key, a bitcoin address to send the $500 ransom payment, and a TOR site with the address http://kpx5wgcda7ezqjty.onion, which used to tell the attackers a payment has been made.
This TOR site simply contains a field that you would enter the address of the wallet you sent the payment from and your prefilled unique ID.
As the 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt bitcoin address used for payment is the same for every victim, if this was real ransomware and not a wiper, it would have been hard for the attackers to know who actually made the payment. It could have also allowed unscrupulous victims to try and steal other user’s payments.
It is not known whether the attackers would have provided a key after paying the ransom.