Yesterday, Tieto discovered a zero-day malware being used in the wild, in an attack against Swedish organizations. The code is a form of malware that overwrites files on file shares to propagate itself.

Tieto analysts has been working on analyzing the attack since Thursday, and now, at the time of writing this post (friday at 09:00 CET), 12 out of 55 vendors are showing detection capabilities of this zero-day in Virus Total. https://www.virustotal.com/gui/file/1183a556a1f673a6826204d77556c84a8e60b1960d423bfdae40e8fe49923cfc/detection

The initial attack is delivered via an infected pdf file attached in an email. When the payload is executed, it performs a buffer overflow attack to infect the host. The malware starts to replace files (like office documents) on file shares with a copy of itself as a .jse file (mydocument.docx becomes mydocument.jse). The initial analysis shows that all files have the exact same hash, and if someone opens one of the replaced files on the share, their computer is infected with the same malware. This mechanism can potentially cause wide spread outbreaks.

Process graph

Specific to this attack is also that parts of the code hides within the user startup folder, ensuring that it is executed upon logon. Organizations using Roaming Profiles might have issues with this code propagating when users jump from one computer to another.

The malware tries to communicate to an ip address that is found on many black lists, so chances are that the communication channel is blocked.

The spread mechanisms makes this a threat worth an extra warning. If you have any concerns, or need assistance in how to handle this threat, reach out to us through your usual communications channel.