Saturday, October 12, 2024
HomeComputer SecurityHERMES Ransomware Spreading Through Password Protected Word Documents and XPS

HERMES Ransomware Spreading Through Password Protected Word Documents and XPS

Published on

Malware protection

A new Email campaign spotted by Trustwave spreading HERMES Ransomware through password protected word document to encrypt the system files and lock the victim’s computer. Hermes Ransomware distributed in wild nowadays with newly updated features and targets various countries.

The attachment named “Invoice.doc” contains the password protected macro if the user has security setting is Low then the macro will be launched automatically.

HERMES Ransomware 2.1

Once the macro is triggered it downloads a file from the Command and control server[hxxp://209[.]141[.]59[.]124/azo.exe] and the downloaded file save to temp folder and executed. The [azo.exe] downloads the final payload which is the HERMES 2.1 Ransomware.

- Advertisement - SIEM as a Service
HERMES Ransomware 2.1

Hermes doesn’t append its own file extension as like any other ransomware it used symmetric algorithm AES to encrypt files and RSA to protect AES key. Once the infection completed it launches DECRYPT_INFORMATION.html which shows the ransom note.

Ransom note indicates that the victim’s files are encrypted using an RSA2048 algorithm and asks victim’s to pay through Bitcoin or other cryptocurrencies. Also, attackers added “you can decrypt one file for free” to make victims believe they can decrypt the files.

Trustwave also spotted the same email sample contains attachment as XPS file “invoice.xps” and it has FixedPage.NavigateUri property which directs users to “hxxp://rainbowrealty[.]com/ads/herewego.html” when it was clicked. The page appears to be removed now and it doesn’t exist.

Unfortunately, the decrypter tool is available only for variants of Hermes 1.0 and it is not available for Hermes 2.x variants. The best options are to restore data from the backups.

Also Read

Cyber Criminals Launch Hermes Ransomware Via Password Protected Word Documents

Hermes Ransomware Distributed Through Malicious Office Documents Embedded Flash Exploit

Ryuk Ransomware Attack on various Enterprise Network Around the World & Earned $640,000

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...