AstraLocker Ransomware Spreads in “Smash and Grab” Attacks

A new version of AstraLocker ransomware has been observed being distributed directly from Microsoft Office files sent via phishing emails, an unusually fast delivery method that leads researchers to believe the threat actor behind the ransomware is solely interested in making a big impact and receiving quick payout, or what they call a “smash and grab” approach.

The AstraLocker ransomware was first identified in 2021 and is a fork of the Babuk ransomware-as-a-service, which also appeared in early 2021. The latest version of AstraLocker, meanwhile, has been observed to the first time in March. Researchers said AstraLocker attacks are unique in that the ransomware is deployed to victims at a very early stage of the attack, immediately after the target opens the malicious attachment on the phishing email. , rather than the “weak and slow” methodology that is common among sophisticated ransomware groups.

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead for files that allow them to extend their reach into the target environment,” said Joseph Edwards, senior malware researcher at ReversingLabs, in an analysis Tuesday. “Ransomware is almost always deployed last, after compromising the victim’s domain controller(s), allowing cybercriminals to use the domain controller (e.g. Active Directory) to deploy a GPO and encrypt all hosts in the affected domains. »

The new version of the ransomware uses an outdated packer in an attempt to make reverse engineering difficult; the packer injects indirect jumps every five to seven instructions to obfuscate program control flow, Edwards said.

It also takes several steps to evade detection, including checking if it is running in a virtual machine, checking the names of open windows to determine if any malware scanning tools are running, and checking for running processes to see if they are in a scanning environment. Once unpacked, the ransomware attempts to disable endpoint backup and anti-malware security tools, kill any applications known to block data encryption, and delete Volume Shadow Copies, an included technology that can create copies backing up files or volumes.

“What this attack makes clear is that the leak of Babuk source code and builders in 2021 allows cybercriminals of any sophistication to launch their own operations, simply by making small changes to existing Babuk code.”

The ransomware attack vector has potential weak points, as running the ransomware actually requires a significant amount of user interaction. After opening the malicious Word document attached to the email, the target is prompted to perform several additional clicks (including clicking an icon in the document and agreeing to run an embedded executable) to activate the embedded ransomware, which is stored in an OLE object.

“Needless to say, requiring so much user interaction increases the chances of victims thinking twice about what they’re doing,” Edwards said. “This is one of the reasons why OLE objects are used less in malware delivery, as opposed to the more popular VBA macro infection method, which only requires the user to enable macros to s ‘execute.”

The ransomware finally displays a ransom note which includes Monero and Bitcoin wallet addresses for payment. The ransomware variant’s wallet addresses are different from those used by earlier versions of the malware and in the Babuk ransomware.

The new variant also omits a functional email address to contact threat actors in the ransom note, which means the threat actor has no way to deliver the decryptor to the victims even if the ransom is paid, the researchers said. Researchers believe this is a mistake and reflects a drawback of the “crush and grab” approach in this attack; although AstraLocker 2.0 attackers were able to shorten attack time, “it’s easy for attackers launching such hasty efforts to make mistakes,” Edwards said.

Researchers said the threat actor responsible for this recent campaign likely obtained builders for AstraLocker 2.0 ransomware due to Babuk’s source code being stolen and leaked on a Russian hacking forum in September. This means that in addition to a shorter timeframe for attacks, actors also do not need to make large investments to infect victims.

“What this attack makes clear is that the leak of Babuk source code and builders in 2021 allows cybercriminals of any sophistication to launch their own operations, simply by making small changes to existing Babuk code,” Edwards said. . “This is what we observe with the AstraLocker 2.0 malware.”

Comments are closed.