Thursday, March 28, 2024

Hackers Launching Gandcrab Ransomware via Super Mario Image Using Weaponized Excel Document

Cyber criminals now spreading a Gandcrab ransomware variant using Steganography Super Mario image via malicious Excel documents.

Very recently a security researcher Matthew Rowen from Bromium encountered a spreadsheet that containing a trojan sample during the static analysis.

The spreadsheet has an embedded macro and the code part reveals that the macro should exit immediately if the infected machine origin will not based in Italy using country code 39.

Also, attackers using some of the social engineering techniques to trick users to enable the macro that leads to eventually infect the victim’s machine.

It intimates in sheet as ‘It’s not possible to view the preview online. To view the content, you need to click on “enable edit” and “enable content”’. 

When he analyze the sample inside of the sandbox container, it reveals the obfuscation PowerShell scripts and cmd.exe.

In this case, “Malware authors are working hard for marketing using affiliation marketing and in order to attract the most interest and best prices malware authors need to make a name for themselves”

Super Mario Image using Steganography

The interesting part is that the PowerShell script is trying to download the Super Mario images and it extracting some of the data from pixels.

In this case, the researcher really impressed when its new to us that the weaponized images spreading via malspam.

According to the Bromium, “A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.  “

Also, a heavily obfuscated PowerShell scripts are hiding behind the Super Mario image and it finds from the blue and green channel from pixels in a small region of the image.

Finally, it connects to the remote server and downloads the Gandcrab ransomware to infect the user to encrypt the files and demand the ransom in order to provide the file access back.

Currently, we could see the malware authors are heavy using the Steganography to avoid security detection and it keeps increasing every day.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Beware of Malicious Word Documents that Downloads the Ursnif Malware and GandCrab Ransomware

GandCrab Ransomware Attack Users & Demand $500 in Bitcoin via sextortion Blackmail Email

New Version of GandCrab Ransomware Appends 5 Character Extension To Encrypted Files

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles