Hermes ransomware 2.1 being distributed by cybercriminals in new malicious campaign

• The ransomware is being spread via a weaponized password-protected Microsoft Word document.
• The weaponized document is designed to automatically launch the macros in systems where the macro setting is low.

A new malicious campaign has been observed which involves cybercriminals using weaponized password-protected Microsoft Word documents to distribute the Hermes ransomware 2.1.

According to security researchers at Trustwave, who discovered the new campaign, spamming password-protected documents is one of the oldest and most effective method of evading antivirus detection.

Modus operandi

The cybercriminals behind this campaign have been using “Invoice.doc” as an email lure. The malicious documents contains a password-protected macro. The weaponized document is designed to automatically launch the macros in systems where the macro setting is low.

Trustwave researchers discovered another malicious email sample that contained the same subject, email headers and body. The malicious attachment was an XPS file. The URL that this malicious document redirected victims to is no longer active.

It is therefore unclear whether this other email sample distributed the Hermes ransomware or some other malware.

“An email with attachment secured with a password may give some an impression of security. But, as illustrated, it pays to be cautious,” Trustwave researchers said in a blog. “The bad guys like using passwords too, mainly to try and evade gateway inspection of the attachment.”