Friday, October 4, 2024
HomeRansomwareBeware!! New Spider Ransomware Widely Spreading by using Office Documents

Beware!! New Spider Ransomware Widely Spreading by using Office Documents

Published on

A Newly discovered Spider Ransomware widely spreading around the world which delivery through decoy Office documents that usually spreading via the malspam campaign.

This Spider Ransomware using Email is a medium to spreading across to the victims machine and an email attachment contains bogus office document which actually comes with VB Script agent.

In this year, some of the very big ransomware attacks such as wannacry, Petya, Locky were infected around the world and it makes the very worst impact on many organization and individuals.

- Advertisement - EHA

In this case, Spider Ransomware spreading via the Bosnian language which indicates that initial level of threat actor infection started from Bosnia and Herzegovina regions.

This was detected as “VB:Trojan.VBA.Agent.QP” and it will later download a payload Trojan.GenericKD.12668779” and “Trojan.GenericKD.6290916”.

Also Read:  Necurs Spam Botnet Back in Business Spreading Scarab Ransomware

How Does this Spider Ransomware Works

Initially, Victims will be received an email that contains attacked document of malicious  VB Script agent which claimed as bills or invoice related legitimate document.

Malicious decoy Office document contains an obfuscated macro code and it’s using Powershell code to download an original Spider Ransomware paylaod.

These related payloads are  Base64 encoded and it using yourjavascript.com website for hosting to establish a proper communication.

To performing a decode operator, it uses XOR operation with the key ‘AlberTI’ to decode the final level of payload.

Once it is decoded then it saved as a .exe  file and copied into APPDATA% /Spider’ directory with the name of  ‘dec.exe’ and ‘enc.exe’.

These 2 files are using performing different operations, enc.exe performs as a Spider Ransomeware decrypter and dec.exe performing to displays the user interface for warning message and to decrypt the files using a decryption key.

“Also Spider ransomware also copies two text files ‘files.txt’ and ‘id.txt’ respectively inside the ‘%APPDATA% /Spider’ directory”

According to netskope, PowerShell launches the ransomware decryptor, dec.exe with ‘spider’ argument and enc.exe file with ‘spider ktn 100’ arguments. Spider ransomware decryptor monitors the system processes and prevents opening of windows utility tools like taskmgrprocexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess

Later, The payload enc.exe helps to encrypt the user’s files and adds the ‘.spider’ extension and also maintain the list of files in files.txt that has been encrypted by this Spider Ransomware.

Spider Ransomware

Once it has successfully performed its operation, a warning message will be displayed that contains the complete information to the victims and so it contains an information about the decryption procedure.

Spider Ransomware

Also, a Warning message contains an information about the decryption procedure for the victims.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...

New Mallox Ransomware Linux Variant Attacking Enterprise Linux Servers

Kryptina RaaS, a free and open-source RaaS platform for Linux, initially struggled to attract...

TWELVE Threat Attacks Windows To Encrypt Then Deleting Victims’ Data

The threat actor, formed in 2023, specializes in ransomware attacks targeting Russian government organizations....