Fake Sophos encrypts user files under the guise of antivirus software

July 17 researchers from MalwareHunterTeam discovered a new type of ransomware called “SophosEncrypt” exploiting the company’s good name Sophoswidely known in the field of cybersecurity.

At first it was assumed that this was part of the exercises red team Sophos experts. However, the X-Ops team quickly denied their involvement in this software and released full report with malware analysis.

According to researchers, SophosEncrypt operates according to the model RaaS and has a convenient web-based control panel. The encoder itself is written in Rust and uses the path “C:\Users\Dubinin\” on Windows to store its libraries. Inside this directory is the sophos_encrypt program, and that is why the researchers attributed this name to it.

Ransomware executable icon

When launched, the encryptor asks an attacker who has paid for access to the program’s infrastructure to remotely enter a token associated with the victim, probably obtained from the malware’s web shell.

When entering a valid token, the encoder asks for additional information for encryption: email, address Jabber and a 32-character password that will be used in the algorithm. Further, the software offers the criminal to encrypt certain files selectively or the entire computer.

A token, an email, and a “.sophos” extension are added to the encrypted files, and a ransom note “information.hta” is created in each folder of the system, which is also automatically launched after successful encryption. In addition, the wallpaper on the desktop is changed to the Sophos logo, further discrediting the company.

Wallpaper that is set after encryption is completed

The Sophos researchers said that in terms of the identified capabilities, the malware is more like a generic remote access Trojan than a narrowly targeted ransomware. These capabilities include, for example, keylogging and system profiling using commands WMI.

Interestingly, the malware also checks the language settings in the system and refuses to start if it is configured to use the Russian language, which leads to certain thoughts about the authorship of this program.

In total, Sophos specialists identified several malware samples, some of which did not contain ransomware at all. However, all instances accessed the IP address used by the malicious framework. Cobalt Strike.

Sophos researchers in their report provided the necessary indicators of compromise (IoC) to block malware, and have already added it to the database of their own anti-virus software.

This incident once again proves that attackers often resort to deception and manipulation to mislead users. Using the well-known and respected Sophos brand to spread malware is a devious move that counts on people’s gullibility. Such attacks are dangerous because people, upon seeing a familiar name or logo, can run a malicious program without hesitation.

To avoid such incidents, users should be vigilant and careful. Do not blindly trust even seemingly reliable sources. Carefully check the origin of any files and programs before launching them. Be careful and don’t fall for the tricks of scammers. Only a critical and rational approach will help secure your data and devices.