Saturday, January 25, 2025
HomeComputer SecurityHackers Launching Ransomware and CryptoMiner via Love_You MalSpam Campaign

Hackers Launching Ransomware and CryptoMiner via Love_You MalSpam Campaign

Published on

SIEM as a Service

Follow Us on Google News

The worst alliance of Ransomware and the CryptoMiner family in a spread spree, early January 2019. Malware Spam or MalSpam is the term used to designate malware that is delivered via email messages.

Malicious spam (MalSpam) using zipped JavaScript (.js) files as email attachments–this is a well-established tactic used by cybercriminals to distribute malware. The infection traffic included GandCrab ransomware, a Monero (XMRig) cryptocurrency miner, and Phorpiex spambot traffic.

The email will be delivered with the initial JavaScript and it extracts an “exe” file. This file will download the dropper and the dropper gets the rest of the payloads from Command and Control.

In the last 2 days, there were many samples found and many are uploading new samples in public sandboxes. In “app.any.run” a public sandbox, there are nearly 1200samples are uploaded and the spread seems to be high.

This GandCrab ransomware with CryptoMining seems to be critical and new variants of 2019. Get the IOC’s from your Cyber Intel and public sandboxes. The purpose of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily DASH, because of it complex to track, or Bitcoin.

Evolution of GandCrab Ransomware

                GandCrab v1 Ransomware, were discovered earlier in 2018. In nearly one month, over 50000 endpoints were infected and encrypted. Unusually, this ransomware asked to pay ransom in the cryptocurrency format “DASH”.

                GandCrab v2 Ransomware, were discovered in May 2018. With the new encryption extension of “.CRAB” and used more sophiscated domains as CnC.

                GandCrab v3 and v3.1 Ransomware were discovered in later 2018 with more antivirus evading techniques.

                GandCrab v4 Ransomware, brought many changes in the workflow and the endpoint communication patterns. The new extension “.KRAB” has been used and the creators have used new encryption algorithm. Surprisingly this variant, doesn’t connect a CnC.

                GandCrab v5 & v5.0.4 Ransomware brought many changes in the communication patterns and very advanced in the encryption standards. In later 2018, this created a greater impact and the increase of victims were huge.

What is CryptoMining Malware?

CryptoMining malware, or cryptocurrency mining malware or simply crypto jacking. Nowadays, Cyber criminals have increasingly turned to CryptoMining malware, as it’s a way to harness the processing power of large numbers of computers, smartphones and other electronic devices to help them generate revenue from cryptocurrency mining.

Therefore, they are infecting machines, utilize the device, encrypt using ransomware, destroy the traces and complete their actions. Cyber attackers are finding more ways in creating an alliance of various malware and combining them to achieve their goals.

Process Flow of the MalSpam

MalSpam

Recommendations to encounter this MalSpam

  1.) Block email attachment names like “Love”, “Love_You”, “Luv_You”, “Love_You_”, etc. and try combinations more.

  2.) Ensure the .js file types are blocked in your email gateway if not needed.

3.) Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices.

 4.) Ensure your SOC team are monitoring for the traces of ransomware activity.

5.) Ensure your SOC team is monitoring for the abnormal activity of Powershell Executions.

Indicators of Compromise

IP

74.220.215[.]73
78.46[.]77.98
92.63[.]197.48
136.243.13[.]215
138[.]201.162.99
198.105.244[.]228
217[.]26.53.161

Domains

gandcrabmfe6mnef[.]onion
icanhazip[.]com
osheoufhusheoghuesd[.]ru
slpsrgpsrhojifdij[.]ru
suieiusiueiuiuushgf[.]ru
www[.]2mmotorsport[.]biz
www[.]bizziniinfissi[.]com
www[.]fliptray[.]biz
www[.]haargenau[.]biz
www[.]holzbock[.]biz
hxxp://92[.]63[.]197[.]48/m/5[[.]]exe 
hxxp://92[.]63[.]197[.]48/m/3[[.]]exe 
hxxp://92[.]63[.]197[.]48/m/1[[.]]exe 
hxxp://92[.]63[.]197[.]48/m/4[[.]]exe 
hxxp://92[.]63[.]197[.]48/m/2[[.]]exe 
hxxp://92[.]63[.]197[.]48/2[[.]]exe 
hxxp://92[.]63[.]197[.]48/1[[.]]exe

SHA-256

035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8
27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of...