The infamous GandCrab is back in a new phishing campaign. Here, the attackers are using fake Center for Disease Control (CDC) warning to distribute the GandCrab 5.2 ransomware onto the victims’ systems.
How does it work - As per My Online Security, the attack begins with users receiving a fake CDC email. In order to make it less suspicious, the email is distributed under the subject line of ‘Flu Pandemic Warning’. However, a close look reveals that the email comes from a sender ‘Peter@eatpraynope[.]com’ which has nothing to do with the CDC.
“To confuse the issue even more the subject line was written in what looks like a mix of cyrillic & western characters & encoded in UTF8 format so a computer will automatically translate / decode it. When I first tried to post this, I got a garbled mess of characters in the url to this post where the Copy & pasting from the email picked up the utf8 format,” the researchers explained.
The email includes a malicious doc that appears to contain the instructions on how to prevent flu. When users click the doc, the GandCrab 5.2 is unleashed and gets installed on the computers.
“The Word doc attachment is almost empty with just an Urgent Notice Heading. The scumbags trying to compromise you are hoping that you will enable content & editing to enable the macros that let this run,” said researchers.
Encryption process - Once installed, the ransomware encrypts the victims’ files and leaves behind a warning note, asking for ransom.
“The C2 for this is a well known site 'https[:]//www.kakaocorp.link/static/tmp/eshe[.]png' where the ransomware posts encrypted / encoded details about the compromised computer,” read the report.
In order to stay safe, users are urged to ignore such emails and should not click on the link or malicious doc as it can infect the systems.