Emergency exit map email unleashed Gandcrab malware

News by Rene Millman

New campaign switches from delivering Ursnif Trojan to delivering an updated version of GandCrab ransomware.

A new malware campaign is tricking victims into downloading and installing GandCrab ransomware by pretending to be an emergency exit map for the building they are in.

According to reports from Myonlinesecurity.co.uk, which revealed the campaign, the email server sending out this ransomware has previously been delivering the  Ursnif banking Trojan. 

Researchers said that this may be a new, updated version of GandCrab. The email appears to be from someone called Rosie L. Ashton and comes with an attachment titled Emergencyexitmap.doc.

When opened, the document show the text "Emergency exit map" and a prompt to enable content. If the victim clicks on the Enable Content button, the Word macros will execute a PowerShell script downloading and installing the GandCrab v5.1 ransomware onto the computer.

The PowerShell script has been obfuscated so that it is difficult to follow the code. When deobfuscated, the script reveals that a macro downloads putty.exe and then executes. The executable is, in fact, the GandCrab ransomware, which then starts to encrypt files.

It also places ransom demands in every folder where a file has been encrypted. The ransom indicates that this is v5.1 of GandCrab and instructs the victim on how to pay the ransom demand.

"Here might be decoders for some versions of Gandcrab but I don’t think at this time 5.1 can be decoded by them," said researchers.

Researchers added that the malware-laden emails are coming from several different email addresses and IP addresses all from one hosting company using the IP range of 194.58.61.*. They added that these appears to be a server based in Russia, AS197695 Domain names registrar REG.RU, Ltd. 

"All the email addresses pass authentication and the majority of the sending domains have been registered for several years. All the domains are using name servers on domaincontrol.com which suggests that there has either been a compromise on the name server system to redirect the legitimate domains to the Russian hosting servers," researchers said.

Researchers added that all alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random.

"Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found," said researchers.

Dr Simon Wiseman, CTO at Deep Secure, told SC Media UK that the only way that organisations can truly defend against these threats is if they remove the threat in the document (the macro) before the attack can even start.

"Content threat removal (CTR) prevents any content entering the network, stripping the useful data from the original file to create a carbon copy from the user’s perspective, but without any unrequired data or potentially malicious elements. This enables the user to receive all the information they need, without introducing unknown content risks onto the network," he said.

Dr Guy Bunker at Clearswift told SC that people need training and awareness on the threat and then the risks and consequences. "This doesn’t have to cost money – but rather time to communicate about the threat, what to look for and what to do should the person think they may have fallen victim to such an attack," he said.

Liron Barak, CEO and co-founder of BitDam, told SC that most cyber-security solutions base their detection mechanism on attacks that were seen in the past, meaning that an attack that was tweaked might go below the radar and penetrate the victim's computer.

"Once such attacks enter an organisation, there is not much that can be done to mitigate its effect. The most effective approach is to prevent the attack from entering an employee’s mailbox in the first place," she said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews