Configure EDR tools to detect or prevent its use. If your organization does not have a legitimate business case for MEGA software, consider blocking it. MEGA Log Analysis - Identifying the Attacker's AccountĪn interesting entry appears if you search for "email" or "emails." Though we could not confirm it, the entry appears to reveal the email account that the attacker used to authenticate with MEGA.Įxamining the MEGA logs is a useful for investigating data theft and and extortion incidents. We can identify these failed uploads by searching the logs for "(UPLOAD) finished with error"
In our case, many files failed to upload after we severed the system's network connection. Just because a file was queued, does not mean the upload was successful. MEGA Log Analysis - Identifying Failed File Uploads These entries are important because they show the specific systems, folders, and files that the attacker targeted.
We believe these events are recorded as the files are queued but are not yet uploaded. We can identify the full file locations by reading the "Async open finished" events. However, this only gives us the filenames, not the full folder path and drives that those files came from. To count the number of uploaded files, pipe the zgrep results to wc and note the first number ( zgrep 'Upload complete' * | wc): MEGA keeps track of the file successfully uploaded and logs the entries as "Upload complete:" We can search for these files using zgrep ( zgrep 'Upload complete' *): MEGA Log Analysis - Identifying Stolen Files log *) or search them as-is using zcat -f and zgrep. You can decompress the logs using gunzip ( gunzip -S. With the exception of the most recent active log file, the older logs are compressed using gzip. MEGAsync's logs are stored in a "logs" folder in the same location as the MEGAsync.exe binary. Look for it installed in places like C:\Users\\AppData\Local\MEGAsync\MEGAsync.exe and C:\ProgramData\MEGAsync\MEGAsync.exe. It installs like any other Windows application.
Their MEGAsync software works how you would expect it: you point it at folders and shared drives and it uploads those files up to the cloud. MEGA is a legitimate cloud backup service that has become a favorite for RaaS threat groups.
0 kommentar(er)
