BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
44
Global rank
35 infographic chevron month
Month rank
42 infographic chevron week
Week rank
1202
IOCs

Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.

Ransomware
Type
Unknown
Origin
29 May, 2019
First seen
16 April, 2024
Last seen
Also known as
ChaCha

How to analyze Maze with ANY.RUN

Type
Unknown
Origin
29 May, 2019
First seen
16 April, 2024
Last seen

IOCs

IP addresses
45.140.147.172
124.156.138.199
164.132.68.221
92.38.178.246
139.180.210.21
51.68.28.242
185.234.72.115
45.153.231.67
194.156.98.89
194.85.1.47
207.246.108.247
45.153.231.103
80.92.205.135
54.238.181.74
45.67.229.168
195.123.247.73
45.144.31.55
45.67.228.156
149.56.245.196
104.168.201.47
Hashes
c32c9f254ca09bea50b5ccb840f15a7b79ecae580625b6070d4283483a7da987
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82
7c03b49d24c948f838b737fb476d57849a1fd6b205f94214bf2a5a3b7a36f17a
9ce40c2bc1fee220bd750cbae491e70b21dc361c961020f7b35b7a360861f89f
3885589a3c94d0475a6d994e4644e682f4cff93f8b4d65f37508ffe706861363
5acbcc1df967d37bf86e429030c9c8ad43e84c8ec5d74bfe3737816c74994c18
24da3ccf131b8236d3c4a8cc29482709531232ef9c9cba38266b908439dea063
153defee225de889d2ac66605f391f4aeaa8b867b4093c686941e64d0d245a57
145b9acdc9feee6c4ad34cb4fcbe06623806238d59319460c0beae36c2ff0cea
fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
d65fa9ed1220cfa12d22239ca62a4b5978bb613090fc1dcb0cccdf191151d125
1156e9951df46c4854cf9bc5bb96101b0b923c4e10adcffc286a0a1078fcb3da
16fb1ade12f262a3f6ed071cd4872efb21fd55c714773b32af3b9b31def8ae21
9751ae55b105ad8ffe6fc5dc7aea60ad723b6df67a959aa2ea6f4fa640d20a71
6568e9ac34905c32255bab713c259d76fab2c162be84d913ab0076a05e2605c3
5d59b107448b2c61849dd0f41fc179df9d60c35355e2d8d0ac9e19b97a3b96dd
4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
2a6c602769ac15bd837f9ff390acc443d023ee62f76e1be8236dd2dd957eef3d
c6b5b5ee35566d02931212aaf49029d5ab1f6cccd61e4b1053f4ac69a4013303
Domains
mazenews.online
aoacugmutagkwctu.onion
globalsign.icu
officecloud.top
xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion
ocspverisign.pw
mazedecrypt.top
mazenews.top
newsmaze.top
jardinaix.fr
letwiki.com
work.time12.cf
corpsolution.net
cloud20.tk
extrsports.ru
tosayoj.com
ns1.sunnykkf.xyz
sicurezza.me
aloha-edc.net
www.mazedecrypt.top
URLs
http://91.218.114.11/wvcmn.php
http://91.218.114.11/account/hvnbxcq.shtml
http://92.63.194.20/forum/r.html
http://92.63.194.3/register/iysnxvu.jspx
http://92.63.194.20/transfer/cb.cgi
http://92.63.194.20/baogh.do
http://92.63.194.20/payout/account/rcntwooh.shtml
http://92.63.194.20/sepa/ntenslkg.cgi
http://92.63.194.20/tracker/archive/mocexjn.cgi
http://92.63.194.3/analytics/tbcq.phtml
http://92.63.194.20/messages/register/esbsccg.phtml
http://92.63.194.20/check/kqsxfggw.action
http://92.63.194.20/payout/analytics/wm.phtml
http://92.63.194.20/vcbh.shtml
http://92.63.194.20/create/withdrawal/ockcwk.action
http://92.63.194.20/webauth/k.php
http://92.63.194.20/register/wire/xsheal.jsp
http://92.63.194.20/xbaxvbx.php
http://92.63.194.20/ticket/analytics/kspedia.php
http://92.63.194.20/content/support/qco.phtml
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 157
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is Maze malware?

Maze, also called ChaCha, is ransomware — a malicious program that encrypts files of the victim and demands a ransom in exchange for a decryption key that restores information. A defining feature of Maze is that it publically releases sensitive files to the public unless the ransom is paid.

Maze ransomware has been operating actively since 2019 and, unfortunately, the attack volume from this malware has been on a steady rise since that time.

General description of Maze ransomware

It’s not a new strategy among ransomware operators to issue threats about making sensitive data public unless the victim gives in to the demands of the criminals. However, before the occurrence of Maze, most of these threats remained largely idle. They served as a psychological weapon, helping threat actors to strongarm victims into paying.

However, the situation changed drastically with Maze.

In November 2019, the group behind Maze managed to infiltrate Allied Universal: one of the leading private security companies in the US. The cyber gang claimed that they have gained complete control of the Allied network and threatened to make the data public unless the company paid up.

Allied Universal decided to ignore the demands. In reply, hackers behind the virus first contacted a well-known computer help site, asking them to publish a story about the attack to serve as a public warning. When the website declined, the Maze gang uploaded 700MB worth of sensitive information on an underground forum. The data included lists of active users, email certificates, encryption keys, and more.

In another Maze ransomware attack, 2GB of files belonging to the City of Pensacola were made public. The attack severely damaged the computer network of Pensacola, forcing it to temporarily shut down the network. As per the data breach, the virus's actors declared that the information was leaked as evidence, showing how deeply they managed to infiltrate the network.

This is a very important point about Maze. Researchers should note that largely after Maze’s occurrence ransomware attacks can be considered data breaches, as more and more ransomware strains gain the ability to infiltrate networks and perform data-stealing activities before encrypting the files.

Furthermore, with the case of Maze, even backups are not safe. Actually, sometimes they become a week point. Maze creators revealed that after infecting the initial endpoint, their ransomware targets cloud backups by laterally spreading through the network and stealing needed credentials. This is useful for threat actors not only because it allows deleting the backup before encryption, but also because that backup most likely contains the most valuable data.

Unfortunately, this tactic has proved effective as at least one company fell victim to it and lost its backups. Of course, an incident like this can only happen if backup credentials are stored in the compromised network, thus correct backup configuration is incredibly important.

It should also be noted that the virus uses several advanced code obfuscation techniques that make static analysis very complicated. Threat actors behind the virus evidently stay on top of the progress done by security researchers on their malware. They contact cybersecurity media and like to tease industry professionals and play cat and mouse.

Maze malware analysis

In this video recorded in the ANY.RUN interactive malware hunting service we can view how the Maze execution unfolds.

maze_ransomware_process_graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

maze_ransomware_note

Figure 2: Wallpapers with ransom message set by Maze

Maze execution process

The execution process of Maze is kind of typical for this type of malware, for example Phobos or Sodinokibi. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the ransomware deletes shadow copies. After it encrypts all targeted files, Maze drops a ransom note on the desktop. It also often changes the wallpaper to its own with a ransom text.

Notably, just like Sodinokibi aka REvil ransomware, this family has a similar infrastructure — websites with "tech support", information about cryptocurrency and ways to buy it, trial decryption, and chat. Crooks behind the Maze ransomware are also kind of cocky and post links to the information about their successful attacks on their website.

Maze ransomware distribution

Maze is distributed using several different ways. It has utilized the Spelevo and Fallout exploit kits and one of the vulnerabilities that Maze is targeting is the CVE-2018-15982 vulnerability in Flash Player. It is also worth noting that in the case of the Fallout kit, the users were redirected to the exploit from a fake cryptocurrency trading platform.

Another observed attack vector is via email spam campaigns containing a Microsoft Office document with a malicious macro.

How to detect Maze malware?

Maze ransomware can be detected by many different activities — sometimes it creates certain files or it can be detected by Suricata network threats. The most common is the Maze ransom note — not only does it have similarities with notes from other tasks, but it also contains self-defining strings: maze ransomware, mazedecrypt, and maze key.

Analysts can take a look at these notes by using ANY.RUN Static Discovering. Click on the "Files modification" tab, then find the file with the name such as " DECRYPT-FILES.txt". To take a look inside this file just click on it.

If you find word combinations such as "maze ransomware", "mazedecrypt" and "maze key", then be sure this sample is Maze ransomware.

how_to_detect_maze_ransomware

Figure 3: How to detect Maze ransomware by its ransom note?

Conclusion

Maze is a significant threat to organizations and private users. This virus not only encrypts information but also strong-arms the victims into paying the ransom, threatening to release sensitive information. Unfortunately, Maze launched a little bit of a trend among threat actors and more and more ransomware in the wild is starting to exhibit similar behavior.

The situation is further complicated by advanced code obfuscation techniques that the Maze features, making the static analysis process quite difficult. Thankfully, interactive malware analysis services like ANY.RUN allows to carry out dynamic analysis almost as quickly and easily as static, giving researchers a chance to collect invaluable information about this ransomware.

P.S.

maze team press release screenshot Figure 4: Screenshot of the Maze team press release

On the 1st November 2020, the "team" behind the Maze ransomware published their pretentious press release about the end of the "project" and it has shut down its operations. Unlike some other groups behind ransomware, they haven't published the encryption keys.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy