The DopplePaymer ransomware spreads over current Domain Admin accounts, not exploiting the vulnerabilities targeting BlueKeep, Microsoft notes.
The malware that security researchers believe is involved in the recent attack against the state-owned Mexican petroleum company Petróleos Mexicanos (Pemex), has been running since June 2019, with some earlier samples dating to April 2019.
DopplePaymer was originally detailed in July this year and was said to be a forked version of BitPaymer, presumably the work of some members of the Threat Group TA505 (the hackers of Dridex and Locky) who decided to stop cybercrime and begin their own illegal action.
In a new blog post, Dan West and Mary Jensen from Microsoft’s Security Response Center, both senior security program managers, explain that while DopplePaymer poses a real threat to organizations, information on its propagation method is misleading.
Specifically, the tech company says that the BlueKeep Remote Desktop Protocol (RDP) vulnerability information regarding DoppelPaymer spread through internal networks via Microsoft’s teams.
“Our safety research teams have reviewed these allegations and have found no evidence to support them. In our research, we found that the malware uses existing domain admin credentials to be used by remote human operators to spread over a network of businesses, “researchers explained Microsoft.
The organization advises that security managers follow the concept of less privilege, apply good credential hygiene and introduce network segmentation to safeguard their environments.
Such best practices, Microsoft says, will help prevent attacks from DopplePaymer, as well as other malware from breaching networks, disabling security tools, and using privileged data-stealing credentials.
Microsoft, which already includes DopplePaymer protection and other malware in Windows Defender, states that it will continue to improve protection when new threats are identified.
“Globally speaking, ransomware is still one of the most common cyber criminals revenue sources for a post-compromise attack,” warns Microsoft.
Attackers typically use social engineering to undermine companies, according to the agency. This procedure allows an employee to visit a malicious site or open downloaded or forwarded materials that will drop malware on their computers.