Hackers Launching Gandcrab Ransomware via Super Mario Image Using Weaponized Excel Document

by chebbi abir

Cyber criminals now spreading a Gandcrab ransomware variant using SteganographySuper Mario image via malicious Excel documents.

Very recently a security researcher Matthew Rowen from Bromium encountered a spreadsheet that containing a trojan sample during the static analysis.

The spreadsheet has an embedded macro and the code part reveals that the macro should exit immediately if the infected machine origin will not based in Italy using country code 39.

Also, attackers using some of the social engineering techniques to trick users to enable the macro that leads to eventually infect the victim’s machine.

It intimates in sheet as ‘It’s not possible to view the preview online. To view the content, you need to click on “enable edit” and “enable content”’.

When he analyze the sample inside of the sandbox container, it reveals the obfuscation PowerShell scripts and cmd.exe.

In this case, “Malware authors are working hard for marketing using affiliation marketing and in order to attract the most interest and best prices malware authors need to make a name for themselves”

Super Mario Image using Steganography

The interesting part is that the PowerShell script is trying to download the Super Mario images and it extracting some of the data from pixels.

In this case, the researcher really impressed when its new to us that the weaponized images spreading via malspam.

According to the Bromium, “A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.  “

Also, a heavily obfuscated PowerShell scripts are hiding behind the Super Mario image and it finds from the blue and green channel from pixels in a small region of the image.

Finally, it connects to the remote server and downloads the Gandcrab ransomware to infect the user to encrypt the files and demand the ransom in order to provide the file access back.

Currently, we could see the malware authors are heavy using the Steganography to avoid security detection and it keeps increasing every day.


To read the original article:




Interdit de copier  ce contenu