Win32.Ransom.BlueSky MVID-2022-0632 Code Execution
Posted by deepcore on August 16, 2022 – 10:16 pm
The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is “C:WindowsSystem32” and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.
Post a reply
You must be logged in to post a comment.