Cyber criminals now spreading a Gandcrab ransomware variant using Steganography Super Mario image via malicious Excel documents.
Very recently a security researcher Matthew Rowen from Bromium encountered a spreadsheet that containing a trojan sample during the static analysis.
The spreadsheet has an embedded macro and the code part reveals that the macro should exit immediately if the infected machine origin will not based in Italy using country code 39.
Also, attackers using some of the social engineering techniques to trick users to enable the macro that leads to eventually infect the victim’s machine.
It intimates in sheet as ‘It’s not possible to view the preview online. To view the content, you need to click on “enable edit” and “enable content”’.
When he analyze the sample inside of the sandbox container, it reveals the obfuscation PowerShell scripts and cmd.exe.
In this case, “Malware authors are working hard for marketing using affiliation marketing and in order to attract the most interest and best prices malware authors need to make a name for themselves”
The interesting part is that the PowerShell script is trying to download the Super Mario images and it extracting some of the data from pixels.
In this case, the researcher really impressed when its new to us that the weaponized images spreading via malspam.
According to the Bromium, “A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within. “
Also, a heavily obfuscated PowerShell scripts are hiding behind the Super Mario image and it finds from the blue and green channel from pixels in a small region of the image.
Finally, it connects to the remote server and downloads the Gandcrab ransomware to infect the user to encrypt the files and demand the ransom in order to provide the file access back.
Currently, we could see the malware authors are heavy using the Steganography to avoid security detection and it keeps increasing every day.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Also Read:
Beware of Malicious Word Documents that Downloads the Ursnif Malware and GandCrab Ransomware
GandCrab Ransomware Attack Users & Demand $500 in Bitcoin via sextortion Blackmail Email
New Version of GandCrab Ransomware Appends 5 Character Extension To Encrypted Files
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…