Saturday, October 12, 2024
HomeRansomwareCyber Criminals Launch Hermes Ransomware Via Password Protected Word Documents

Cyber Criminals Launch Hermes Ransomware Via Password Protected Word Documents

Published on

Malware protection

Cyber Criminals distributing Hermes Ransomware via dangerous malspam that contains Weaponized Password protected Word documents to encrypt the system files and lock the victim’s computer.

Hermes Ransomware Attack is wide spreading Ransomware nowadays with newly updated futures under constant development to target various countries.

Few Months Before attackers distributed Hermes ransomware through the flash exploit and attacks targetted on South Korean users.

- Advertisement - SIEM as a Service

Malware authors added many futures in newly evolved versions Ransomware such as change the method to get the Trojan key, algorithm, crypto-libraries and distribution method.

Also, they are using various obfuscation techniques to evade the detection of anti-virus software and maintain its persistance.

Currently discovered malicious word document protected with a password that shows a 1 / 59 detection rate in VirusTotal.

How does Hermes Ransomware Infection Works

Intially Hermes Ransomware distributed via malspam that claimes the job applications with malicious attached word documents.

Once user trying to open the documents, it keeps requesting the password to open the file and the password has mentioned within the mail body content with sending addresses ending in anjanabro.com.

After opening the document, a user asked to enable the macros with a security warning to proceed the malicious document to do further malicious activities.

According to SANS, After successfully opening the attached Word document and enabling macros, I only saw one HTTP request that returned a malware binary. This was Hermes ransomware, and it didn’t generate any post-infection traffic.

After completing the infection process, vicitms disk files will be completely encrypted and the ransom notes will be displayed on a desktop.

Ransom note indicates that the victim’s files are encrypted using  RSA2048 algorithm with a unique public key and the user asked to pay the ransom amount in bitcoin.

Also, infected users can test 1 file as a token decryption key and attacker provide a contact email decryptsupport@protonmail.com for further instructions.

Indicators for this infection

SHA256 hash: 4e5f6a6e8c073828af55c830fad5ce7496313083f42f5bc655c90a9a1314cbb2
File description: Password-protected Word doc with macro to retrieve malware

SHA256 hash: 8dcde14308b6a7edff44fa2ac0aa2e672104db6d35f37ac93452944323468e5e
File description: Follow-up malware – Hermes ransomware

Also Read

New Version of GandCrab Ransomware Attack via Compromised Websites using SMB Exploit Spreader

Hackers Distributing Malicious PDF that Perform both Ransomware and Crypto-Mining Attack

New Version of SamSam Ransomware Attack Targeted Victims with Sophisticated Evasion Techniques

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...