Beware of malspam campaigns spreading ransomware viruses

by Julie Splinters - -

Cybersecurity researchers spotted active spam campaigns pushing infamous ransomware viruses

Spam campaigns pushing ransomware viruses

According to the cybersecurity experts, there is an active malspam campaign distributing dangerous ransomware viruses, which are also known as Gandcrab 4.3, Hermes 2.1, and AZORult Trojan. Two of the malicious programs are file-encrypting viruses while the other one is designed to steal sensitive information from the attacked device. 

Previously, Hermes 2.1 ransomware virus was distributed via infected South Korean website in February 2018. Now, attackers are also targeting English-speaking users via spam campaigns. On the contrary, Gandcrab v4.3 attacks South Koreans directly as the malicious emails are written in Hangul[1] — Korean alphabet. 

Hermes 2.1 and AZORult Trojan: electronic letters inform about an outstanding payment

Researchers warn about malicious emails which contain the subject like “Invoice Due” and notifies about an outstanding payment of $12 340 USD. Unsuspecting computer users are asked to make the payment until August 20 and check the so-called invoice which is attached as the Microsoft Word document. 

Here is the transcript of the spam email distributing Hermes 2.1 virus and AZORult information-stealing Trojan[2]:

This is to inform you that there is still an outstanding payment of USD 12,340. We would appreciate it if this could be settled no later than the 20th.

I have attached the current invoice and the password for the document is: 1234

Thank you. 
Federico Crowley

Experts note that the attachment is password-protected to ensure that security tools wouldn't identify malicious scripts of the file. Once the user clicks on it and enables macros to access the content, the computer is infected. Two executable files are downloaded — azo.exe and hrms.exe — which infiltrate Hermes 2.1 and AZORult viruses. 

Gandcrab 4.3: spam emails impersonate Fair Trade Commission 

Gandcrab 4.3 is currently the 6th version of the infamous Gandcrab ransomware virus and now targets South Koreans via malspam campaigns[3]. Deceptive emails are written in Hangul and claims to come from the Fair Trade Commission. The message informs about the notice of investigation of violation of e-commerce transaction. 

According to the researchers, the spam email also includes a compressed archived .egg file which is widely used in South Korea[4]. Additionally, the archive contains two shortcuts of .lnk (LNK_GANDCRAB.E) and one executable file which is marked as VenusLocker_korean.exe and disappears after the file is decompressed. 

If the user is tricked to decompress the malicious .egg file named as “Notification of e-commerce violation” in Korean, the computer would be infected with the dangerous Gandcrab v4.3 ransomware and start data encryption[5]. It is evident that cybercriminals are actively spreading file-encrypting viruses. Thus, users are advised to stay vigilant. 

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

Read in other languages