Home / os / win7

Win32.Ransom.BlueSky MVID-2022-0632 Code Execution

Posted on 15 August 2022

The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:WindowsSystem32" and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

 

TOP