noun_Email_707352 Breadcrumb arrow noun_917542_cc noun_Globe_1168332 Map point Play Untitled Retweet

New zero-day malware discovered

Tieto has discovered a zero-day malware being used in the wild, in an attack against Swedish organizations. The code is a form of malware that overwrites files on file shares to propagate itself.

Oskar Ehrnström / August 16, 2019

Tieto has discovered a zero-day malware being used in the wild, in an attack against Swedish organizations. The code is a form of malware that overwrites files on file shares to propagate itself.

Tieto analysts has been working on analyzing the attack since Thursday, and now, at the time of writing this post (friday at 09:00 CET), 12 out of 55 vendors are showing detection capabilities of this zero-day in Virus Total.

The initial attack is delivered via an infected pdf file attached in an email. When the payload is executed, it performs a buffer overflow attack to infect the host. The malware starts to replace files (like office documents) on file shares with a copy of itself as a .jse file (mydocument.docx becomes mydocument.jse). The initial analysis shows that all files have the exact same hash, and if someone opens one of the replaced files on the share, their computer is infected with the same malware. This mechanism can potentially cause wide spread outbreaks.

Process graph

Specific to this attack is also that parts of the code hides within the user startup folder, ensuring that it is executed upon logon. Organizations using Roaming Profiles might have issues with this code propagating when users jump from one computer to another.

The malware tries to communicate to an ip address that is found on many black lists, so chances are that the communication channel is blocked.

The spread mechanisms makes this a threat worth an extra warning. If you have any concerns, or need assistance in how to handle this threat, reach out to us through your usual communications channel.

Oskar Ehrnström
Lead Business Development Manager

With over 20 years of experience in sales and marketing, and with 11 of those as a leader and trusted advisor within cybersecurity, Oskar Ehrnström drives business innovation and transformation within Tieto Security Services.

Share on Facebook Tweet Share on LinkedIn