Hackers Exploit PayPal Documents to Unleash Fileless Ransomware

On July 14, 2024, researchers identified a malicious document disguised as a PayPal receipt on VirusTotal using the VBA macro hunting rules. 

Upon analysis, embedded malicious macros were found to download a PowerShell loader named ‘8eef4df388f2217caec3dc26.ps1’, which employed reflective loading to deploy ransomware. 

It was previously associated with ransomware groups like NETWALKER, indicating a sophisticated attack leveraging common tactics for ransomware delivery. 

Infection chain

Initial infection analysis determined a phishing-delivered malicious Word document as the attack vector, employing a simple blank document, indicating a sophisticated threat actor. 

Obfuscated VBA macros within the document were de-obfuscated to reveal a PowerShell command designed to download a Base64-encoded payload from a remote server, which is a multi-stage attack, with the initial document serving as a delivery mechanism for subsequent malicious activity. 

Word document

The analyzed JPEG file revealed a malicious PowerShell loader heavily obfuscated with three layers of junk code. By manually removing these layers, the underlying script was uncovered, which contained embedded .NET assemblies encoded as byte arrays. 

These assemblies were dynamically loaded into memory using reflective loading techniques, while the final stage of this attack chain is the execution of malicious .NET assemblies carrying the ransomware payload. 

Heavily obfuscated with junk code

Analysis of the extracted .NET assemblies revealed that the first DLL, TEStxx.dll, was protected using .NET Reactor. Upon unpacking, it was determined to be responsible for injecting the second executable, RegSvcs.exe, into a target process’s memory. 

Further examination of RegSvcs.exe uncovered its ransomware nature, evident in functions related to wallpaper modification, file enumeration and encryption, and process termination. 

The presence of methods like TRIPLE_ENCRYPT, FULL_ENCRYPT, and RECURSIVE_DIRECTORY_LOOK underscores the ransomware’s sophisticated file encryption capabilities. 

Back program

The ransomware self-replicates to the user’s AppData\Local folder, deleting itself upon successful copy, and then iteratively scans local drives, excluding specific system directories, and identifies target file types for encryption. 

A recursive directory search task is created to facilitate comprehensive file enumeration. The targeted file extensions encompass a wide range of document, image, audio, video, archive, database, and code formats, indicating a broad encryption scope.

The ransomware employs AES encryption, using FULL_ENCRYPT for files under 512 KB and TRIPLE_ENCRYPT for larger files, with an exception list. After terminating critical processes, it encrypts specific files across all drives. 

Empty BTC wallet 

To ensure persistence, it creates a Run key to execute on startup. The ransomware also manipulates the clipboard by replacing bitcoin addresses with the attacker’s empty wallet, demanding a ransom without providing a valid payment method. 

Analysis by Sequrite indicates Cronus Ransomware is a newly emerged fileless threat actively spreading through a PowerShell loader and DLL injector. 

It shares code similarities with other known RATs like Revenge, Arrow, Async, Andromeda, XWorm, and njRAT, while IOCs, which include hashes for malicious documents, PowerShell scripts, DLLs, and executables, confirm the active nature of this threat.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here