Thursday, March 28, 2024

Hackers Launching Gandcrab Ransomware via Super Mario Image Using Weaponized Excel Document

Cyber criminals now spreading a Gandcrab ransomware variant using Steganography Super Mario image via malicious Excel documents.

Very recently a security researcher Matthew Rowen from Bromium encountered a spreadsheet that containing a trojan sample during the static analysis.

The spreadsheet has an embedded macro and the code part reveals that the macro should exit immediately if the infected machine origin will not based in Italy using country code 39.

Also, attackers using some of the social engineering techniques to trick users to enable the macro that leads to eventually infect the victim’s machine.

It intimates in sheet as ‘It’s not possible to view the preview online. To view the content, you need to click on “enable edit” and “enable content”’. 

When he analyze the sample inside of the sandbox container, it reveals the obfuscation PowerShell scripts and cmd.exe.

In this case, “Malware authors are working hard for marketing using affiliation marketing and in order to attract the most interest and best prices malware authors need to make a name for themselves”

Super Mario Image using Steganography

The interesting part is that the PowerShell script is trying to download the Super Mario images and it extracting some of the data from pixels.

In this case, the researcher really impressed when its new to us that the weaponized images spreading via malspam.

According to the Bromium, “A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.  “

Also, a heavily obfuscated PowerShell scripts are hiding behind the Super Mario image and it finds from the blue and green channel from pixels in a small region of the image.

Finally, it connects to the remote server and downloads the Gandcrab ransomware to infect the user to encrypt the files and demand the ransom in order to provide the file access back.

Currently, we could see the malware authors are heavy using the Steganography to avoid security detection and it keeps increasing every day.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Beware of Malicious Word Documents that Downloads the Ursnif Malware and GandCrab Ransomware

GandCrab Ransomware Attack Users & Demand $500 in Bitcoin via sextortion Blackmail Email

New Version of GandCrab Ransomware Appends 5 Character Extension To Encrypted Files

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles