JustPaste.it

Brain Cipher Ransomware uses CVE-2023-28252

FINDINGS 💡
========

📌Brain Cipher is suspected to have used CVE-2023-28252 to target its victims, which was previously used by Nokowaya Ransomware Group
📌The exploit is disguised with the filename as CLFS to spread.

📌The most common filename is clfs_eop.exe
📌Currently Nokowaya Ransomware Group is not active


☢️CVE-2023-28252
=============
📌Name: Microsoft Windows CLFS Driver Privilege Escalation Vulnerability
📌This exploit is being available on underground network for a price range of $5K to $25K.
📌This signifies that there are still unpatched systems.

 

IOCs

===

 

MD5 - CVE-2023-28252 Exploit (with filenames)
===============================
6ab773a5be4d7933c2ad05923770f6ab: xp.exe
68ffeaf9a2b5a739e60d0119addf7b5b: clfs_eop.exe
1baa019d5241f7cc2b087634db8b276f: clfs_eop.exe.bak
c21114e07083e1ab4426c1d7e0d197e0: c21114e07083e1ab4426c1d7e0d197e0N.exe
d4045b5d1638ba20b609b208621f20c9: exploit.exe
d4c6d52c7d5a042c3aae20f3828224fe: clfs_eop.exe
8286ab5ba481d985c5cb6596b3f95d7c 
9b9273713ac93d3220d3fdc52b7e9e9c: clfs_eop.exe
34dabc34c4680334facf6d115f32e436: CVE-2023-28252.x64.dll
29fec48669e6253cbd659797de414c89: clfs_eop.exe
53769f09f92826435c3a22b5c9931378: trigger.dll
f93a207755ac1d4f09ebb21349f088c4: clfs_eop.exe
8f26451d4812f5f5b2d331430f75cb33: clfs_eop.exe
ef68df64435008091633c10001efa3f7: clfs.exe
bb50651fcb6ea1a57ae2f21f31bfc9be: clfs_eop.exe
f5eee8823916da87c24c85e7ecae34cd: cs16.exe

 

Highly Confidence
============
192.229.221.95
192.229.211.108
20.99.133.109
20.99.184.37
20.99.186.246

 

IP Addresses

========

131.253.33.203
184.24.62.15
20.99.186.246
23.216.81.152
204.79.197.203
224.0.0.251
224.0.0.252
192.229.211.108
20.99.184.37
23.216.147.76
23.216.147.78
13.107.21.200
204.79.197.200
184.25.191.235
20.99.185.48
23.55.168.64
192.229.221.95
69.164.40.8
20.99.133.109
69.164.0.0
209.197.3.8

 

PS: All the IPs here are related to CVE, not directly involved with Brain Cipher Ransomware Group, however few IPs are overlapping with Brain Cipher.

 

Follow me on Twitter for more: @RakeshKrish12


#braincipher #ransomware #brain #nokowaya #ioc #badip #malip