Ransomware Phishing Emails Sneak Through SEGs

Ransomware Hackers
Share It On:

20th November 2021, Kathmandu

Secure Email Getaway, also known as SEG, measures aren’t always adequate to keep phishing emails from infecting employees with ransomware, especially if the cybercriminals are leveraging genuine cloud services to host malicious URLs.

Researchers are warning of a phishing email that launched a Halloween-themed MICROP ransomware attack, which they discovered made its way into a target’s mailbox despite being protected by an SEG.

Infection Routine

The original email claimed to require assistance with a “DWG following Supplies List,” which is allegedly connected to a Google Drive URL.

The URL is a link to an infection that downloaded a.MHT file. “Web browsers often use.MHT file extensions as a webpage archive,” Cofense researchers noted.”

After opening the file, the target is given a blurred-out and stamped form; however, the threat actor is exploiting the.MHT file to communicate with the malware payload,” the researcher continues.

The payload is delivered in the form of a downloaded.RAR file, which contains an.EXE file. According to the investigation, “the executable is a DotNETLoader that leverages VBS scripts to drop and run the MIRCOP ransomware in memory.”

The campaign isn’t particularly clever, but it was able to pass through SEGs thanks to the utilization of Google Drive.

“Its first attraction is business-oriented,” the researchers stated, noting that it uses a service – such as Google Drive – that organizations use to distribute files.” “This organization is unconcerned about being subtle, as evidenced by the quick rollout of the MHT payload to final encryption.

“Because this ransomware is so easy to spread, it’s extremely concerning that this email made its way into the inbox of a SEG-enabled environment.”

Cofense discovered the potential new danger after the recipient of this Halloween MICROP reported the email as suspicious.

A Gory Theme, Unusual Use of Skype

“The MIRCOP ransomware, also known as the Crypt888 ransomware, encrypts users’ files and holds them captive,” according to a Cofense expert.

“The threat actor offers to supply the decryption mechanism once the money requirement is met.

The threat actor leaves a set of instructions on the wallpaper for this attack.”

In addition, the user is unable to run any apps other than a few web browsers that provide them access to their email account, which is used to contact the attacker,” Cofense researchers noted in a recent publication.

“The email address is then used to set up the payment required to acquire access to the decrypting tool that the threat actor promises would unlock the files and applications,” the threat actor writes. “Since most organized ransomware gangs have specialized sites or mobile messaging apps,” they explained, “Skype as a medium for bargaining is uncommon.”

Watch Locally Stored Passwords

Another intriguing component of this campaign is a malicious program called “PI2.exe,” discovered by the Cofense team.

It collects passwords from popular online browsers such as Internet Explorer, Google Chrome, Firefox, and Opera, offering threat actors lateral network access and a point of entry for future attacks.

“Looking up the SHA256 hash of this executable on Virus Total, it can be linked to dozens of malicious executables dating back to June of this year,” according to researchers. According to Miclain Keffeler, an application security consultant with nVisium, this “tool” indicates that the shift to working outside the office exposes businesses to more of these types of attacks, which is why local password management as well as reining in cloud permissions is becoming increasingly important, as he explained to Threatpost.

“Crypt888 attempts horizontal privilege escalation by collecting passwords that users may have saved locally — passwords that will inevitably be exploited in various ways that will cause devastation on a corporation,” Keffeler warned.

According to the research, “as the cloud increases, these cached passwords become a major attack vector since they often allow vast quantities of access – with little to no security controls.”


Share It On:

Recent Posts

Radio Nepal To Broadcast News In Danuwar Language As Its 25th Language

Radio Nepal To Broadcast News In Danuwar Language As Its

Share It On:10th October 2024, Kathmandu Radio Nepal is set to broadcast news in Danuwar language starting on October 14,

DRN’s In-Depth Analysis of Nepal Social Media Bill 2080: Key Concerns & Recommendations

DRN’s In-Depth Analysis of Nepal Social Media Bill 2080: Key

Share It On:9th October 2024, Kathmandu Digital Rights Nepal (DRN) has conducted an in-depth analysis of the proposed Social Media

Global IME Partners myZoi To Offer Seamless Remittance Services From UAE To Nepal

Global IME Partners myZoi To Offer Seamless Remittance Services From

Share It On:9th October 2024, Kathmandu Global IME Bank Limited has entered into a groundbreaking partnership with myZoi, a UAE-based

#GrowWithTikTok Masterclass: Empowering SMBs in Nepal to Grow With TikTok Strategies

#GrowWithTikTok Masterclass: Empowering SMBs in Nepal to Grow With TikTok

Share It On:9th October 2024, Kathmandu TikTok recently concluded its eagerly awaited workshop in Kathmandu, aimed at empowering Small and

The Future of Transnational Education in Nepal: Charting a New Course for Global Learning

The Future of Transnational Education in Nepal: Charting a New

Share It On:9th October 2024, Kathmandu As Nepal confidently steps into the global arena, Transnational Education (TNE) emerges as a

Cashback at KK Mart with NEPALPAY QR – Global IME Bank Festival Offer (4th-16th Oct 2024)

Cashback at KK Mart with NEPALPAY QR – Global IME

Share It On:9th October 2024, Kathmandu This festival season, Global IME Bank, Nepal Clearing House Limited, and KK Mart have