Thursday, June 13, 2024

Beware: New “Defray” Ransomware Attack Spreading Via Microsoft Word Document

A New Emerging  Ransomware Attack called “Defray” Distributing through Microsoft Word Document and send it through Phishing Email Campaign.

According to this  Defray Ransomware functionality and communication, potentially targeting Healthcare and Education industries.

Defray Ransomware mainly Targeting geographic location is  UK and US where it can target Manufacturing and Technology industries as well.

Defray Name selected and Named by proofpoint based on the Ransomware variant C&C Server communication “defrayable-listings[.]000webhostapp[.]com” hostname .

 The verb “defray” means to provide money to pay a portion of a cost or expense, although what victims are defraying in this case is unclear. 

Also Read:  Now Any One Can Create Ransomware With No Coding Skills

Defray Ransomware Attack spreading Functionality

Initially, Victim Receiving An Email that contains an attached Malicious Word Document with Embedded Executable specifically an OLE package shell object.

Malicious Word Document looks like a Patents  Medical report that belongs to UK hospital logo which came from the  Director of Information Management & Technology at the hospital.

Ransomware Attack

Malicious Embedded Word Document

Later, It forced to Victim to Double click on the Executable to initiate the Process.

Once Victims Double Click the Embedded Executable, as usual, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the %TMP% folder and executed.

It will Alert the to Victims that your files are encrypted After its successful execution of the ransomware.

Ransomware Attack

Defray Ransomware notes 

This ransomware creates FILES.TXT (Figure 3) in many folders throughout the system. HELP.txt, with identical content to FILES.txt, also appeared on the Desktop folder where we executed the ransomware.

According to Ransomware notes, Attacker Demand $5000 to recover the files as a Bitcoin Digital Currency.

The attacker also provides an Email ID for Any further questions, Doubts, negotiation for the Recovery Process.

Defray can able to encrypt following file Extensions.

.001 | .3ds | .7zip | .MDF | .NRG | .PBF | .SQLITE | .SQLITE2 | .SQLITE3 | .SQLITEDB | .SVG | .UIF | .WMF | .abr | .accdb | .afi | .arw | .asm | .bkf | .c4d | .cab | .cbm | .cbu | .class | .cls | .cpp | .cr2 | .crw | .csh | .csv | .dat | .dbx | .dcr | .dgn | .djvu | .dng | .doc | .docm | .docx | .dwfx | .dwg | .dxf | .fla | .fpx | .gdb | .gho | .ghs | .hdd | .html | .iso | .iv2i | .java | .key | .lcf | .matlab | .max | .mdb | .mdi | .mrbak | .mrimg | .mrw | .nef | .odg | .ofx | .orf | .ova | .ovf | .pbd | .pcd | .pdf | .php | .pps | .ppsx | .ppt | .pptx | .pqi | .prn | .psb | .psd | .pst | .ptx | .pvm | .pzl | .qfx | .qif | .r00 | .raf | .rar | .raw | .reg | .rw2 | .s3db | .skp | .spf | .spi | .sql | .sqlite-journal | .stl | .sup | .swift | .tib | .txf | .u3d | .v2i | .vcd | .vcf | .vdi | .vhd | .vmdk | .vmem | .vmwarevm | .vmx | .vsdx | .wallet | .win | .xls | .xlsm | .xlsx | .zip

“Defray has been observed communicating with an external C&C server via both HTTP  and HTTPS, to which it will report infection information.”

Finally, Defray Encrypt the files and disabling startup recovery and deleting volume shadow copies.

On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers.Proofpoint said.

Image Credits :Proofpoint


Latest articles

CISA Warns of Scammers Impersonating as CISA Employees

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a surge...

Microsoft Windows Ntqueryinformationtoken Flaw Let Attackers Escalate Privileges

Microsoft has disclosed a critical vulnerability identified as CVE-2024-30088.With a CVSS score of 8.8, this flaw affects Microsoft...

256,000+ Publicly Exposed Windows Servers Vulnerable to MSMQ RCE Flaw

Cybersecurity watchdog Shadowserver has identified 256,000+ publicly exposed servers vulnerable to a critical Remote...

Indian National Jailed For Hacked Servers Of Company That Fired Him

An Indian national was sentenced to two years and eight months in jail for...

JetBrains Warns of GitHub Plugin that Exposes Access Tokens

A critical vulnerability (CVE-2024-37051) in the JetBrains GitHub plugin for IntelliJ-based IDEs (2023.1 and...

Critical Flaw In Apple Ecosystems Let Attackers Gain Unauthorized Access

Hackers go for Apple due to its massive user base along with rich customers,...

Hackers Exploiting Linux SSH Services to Deploy Malware

SSH and RDP provide remote access to server machines (Linux and Windows respectively) for...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles