Albabat Unhappiness Collective Possibly Broadens Targets to Various Operating Systems, Utilizes GitHub to Simplify Operations
Upon deciphering it, we can enhance our comprehension of the ransomware’s setup.
The revision of Albabat overlooks the subsequent directories: Searches, AppData, $RECYCLE.BIN, System Volume Information, windows.old, steamapps, perflogs, ansel, tmp, node_modules, cache, vendor, target, Mozilla, venv, env, Chrome, google-chrome, pypoetry, vimfiles, viminfo, site-packages, scoop, go, and temp.
This iteration also encrypts the specified file types: ~$, .src, .ico, .cur, .theme, .themepack, .bat, .com, .cmd, .cpl, .prf, .icls, .idx, .mod, .pyd, .vhdx, ._pth, .hta, .mp3, .CHK, .pickle, .pif, .url, .ogg, .tmp, .dat, .exe, .lnk, .win, .vscdb, .bin, .cab, .inf, .lib, .tcl, .cat, .so, .msi, .vpk, .vc, .cur, .ini, .bik, .sfx, .xnb, .ttf, .otf, .woff, .woff2, .vfont, .resource, .N2PK, .log, .pkg, .desktop, .dll, .pkr, .arc, .sig, .bk2, .arz, .swf, .qt, .wma, .mp2, .vdf, .pdb, .nfo, .whl, .mui, .srm, .smc, .dic, .lock, .pyc, .TAG, .locale, .store, .sdi, .library-ms, .acf, .po, and .mo.
Moreover, it disregards the subsequent files: ntuser.dat, ntuser.ini, iconcache.db, Thumbs.db, and .DS_Store.
Furthermore, it terminates the listed operations: taskmgr.exe, processhacker.exe, regedit.exe, code.exe, excel.exe, powerpnt.exe, winword.exe, msaccess.exe, mspub.exe, msedge.exe, virtualboxvm.exe, virtualbox.exe, chrome.exe, cs2.exe, steam.exe, postgres.exe, mysqlworkbench.exe, outlook.exe, mysqld.exe, windowsterminal.exe, powershell.exe, cmd.exe, sublime_text.exe, microsoft.photos.exe, and photosapp.exe.
The setup specifics reveal where the ransomware saves the information gathered from the victim’s system. It links to a PostgreSQL database at the subsequent location:
postgres://postgres.<username>:<password>@aws-0-us-west-1.pooler.supabase[.]com:5432/postgres
About Author
