NEW SPIDER RANSOMWARE COMES WITH 96-HOUR DEADLINE
A new ransomware strain called Spider is targeting victims located in the Balkans in what is called a “mid-scale” campaign.
The Spider ransomware is unique in that attackers are given a 96-hour deadline to pay. Attackers also attempt to calm victims, assuring them the ransom payment and file recovery process will be “really easy.” Attackers go one step further and provide a link to a video tutorial on how the Spider ransomware payment and file recovery process works.
Victims are targeted with malicious Office documents sent as attachments as part of an email phishing campaign with the subject line reading “Debt Collection”, according to Google Translate of the Bosnian-language phrase”Potrazivanje dugovanja”.
“These attachments are auto-synced to the enterprise cloud storage and collaborations apps. Netskope Threat Protection detects the decoy document as ‘VB:Trojan.VBA.Agent.QP’ and the downloaded payload as ‘Trojan.GenericKD.12668779’ and ‘Trojan.GenericKD.6290916,'”
The malicious Office documents are written in the Bosnian language and contain obfuscated code, according to researchers. If the malicious code is executed a Windows PowerShell launches with instructions to download a malicious Base64 encoded payload hosted on YourJavaScript.com, a free hosting site.
“After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key ‘AlberTI’ to decode the final payloads, which is later saved into executable (.exe) files,” researchers wrote. “The decoded payloads named ‘dec.exe’ and ‘enc.exe’ compiled in .NET are copied to the ‘%APPDATA% /Spider’ directory.”
source: netskope