By Lawrence Abrams May 1, 2020 01:00 PM 0
A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware.
By using this malware combo, the attackers first steal saved user names and passwords stored in a variety of applications and then deploy the Jigsaw Ransomware to try and get a small ransom to sweeten the attack.
Weaponized Excel spreadsheets
The exact emails sent as part of this campaign have not been found, but the attachments impersonate invoices, bank transfers, orders, and business inquiries.
Top ArticlesShade Ransomware Decryptor can now decrypt over 750K victims
This campaign is using Excel attachments with names such as Swift.xlsx, orders.xlsx, Invoice For Payment.xlsx, Inquiry.xlsx.
Unlike many phishing attachments, the actors appear to be utilizing legitimate or carefully crafted spreadsheets that have been weaponized to seem believable, as shown below.
Click to see a larger version
According to security researcher James, who discovered this campaign, these attachments have been weaponized using LCG Kit so that they exploit an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor.
Weaponized attachment
If successfully exploited, malware will be downloaded from a remote site and executed.
The vulnerability being exploited to download malware
While this malware has since been removed from the site, James told BleepingComputer that the cjjjjjjjjjjjjjjjjjjj.exe file is LokiBot.
LokiBot has the ability to steal saved login credentials from a variety of browsers, FTP, mail, and terminal programs and then sends it back to the command and control server to be collected by the attacker.
Additional ransomware payload
In addition, this LokiBot variant has been configured to download and install a Jigsaw Ransomware variant that uses a Salvadore Dali mask from the popular Money Heist show as its background.
Jigsaw Ransomware
This Jigsaw Ransomware variant will encrypt a victim's files and append the .zemblax extension to encrypted file's names.
Encrypted Files
The good news is that Jigsaw is easily decrypted, so if you become infected with this variant, be sure to let us know so we can help.
The bad news is that the Jigsaw Ransomware will periodically delete your files until you pay.
Therefore, if you become infected, be sure to terminate the drpbx.exe process using Task Manager so that the Jigsaw Ransomware will be shut down and not delete your files.
As this phishing campaign utilizes malicious spreadsheets that exploit an old Excel vulnerability, simply making sure you are using the latest security updates for your installed Office applications will protect you.
A new phishing campaign is distributing a double-punch of a LokiBot information-stealing malware along with a second payload in the form of the Jigsaw Ransomware.
By using this malware combo, the attackers first steal saved user names and passwords stored in a variety of applications and then deploy the Jigsaw Ransomware to try and get a small ransom to sweeten the attack.
Weaponized Excel spreadsheets
The exact emails sent as part of this campaign have not been found, but the attachments impersonate invoices, bank transfers, orders, and business inquiries.
Top ArticlesShade Ransomware Decryptor can now decrypt over 750K victims
This campaign is using Excel attachments with names such as Swift.xlsx, orders.xlsx, Invoice For Payment.xlsx, Inquiry.xlsx.
Unlike many phishing attachments, the actors appear to be utilizing legitimate or carefully crafted spreadsheets that have been weaponized to seem believable, as shown below.
Click to see a larger version
According to security researcher James, who discovered this campaign, these attachments have been weaponized using LCG Kit so that they exploit an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor.
Weaponized attachment
If successfully exploited, malware will be downloaded from a remote site and executed.
The vulnerability being exploited to download malware
While this malware has since been removed from the site, James told BleepingComputer that the cjjjjjjjjjjjjjjjjjjj.exe file is LokiBot.
LokiBot has the ability to steal saved login credentials from a variety of browsers, FTP, mail, and terminal programs and then sends it back to the command and control server to be collected by the attacker.
Additional ransomware payload
In addition, this LokiBot variant has been configured to download and install a Jigsaw Ransomware variant that uses a Salvadore Dali mask from the popular Money Heist show as its background.
Jigsaw Ransomware
This Jigsaw Ransomware variant will encrypt a victim's files and append the .zemblax extension to encrypted file's names.
Encrypted Files
The good news is that Jigsaw is easily decrypted, so if you become infected with this variant, be sure to let us know so we can help.
The bad news is that the Jigsaw Ransomware will periodically delete your files until you pay.
Therefore, if you become infected, be sure to terminate the drpbx.exe process using Task Manager so that the Jigsaw Ransomware will be shut down and not delete your files.
As this phishing campaign utilizes malicious spreadsheets that exploit an old Excel vulnerability, simply making sure you are using the latest security updates for your installed Office applications will protect you.