On May 18, a globally targeted malspam campaign was observed, with the subject of a fake DHL shipment, aimed at spreading ransomware "Chaos Ransomware".
Inside the email message we find, as an attachment, a compressed .RAR
file with the name "Download Tracking Reference.rar
" which inside contains the executable file "Download Tracking Reference.exe
". An interesting feature is highlighted when we examine the compilation date of the executable file which turns out to be 2080-07-25 13:21:26. Clearly this is a bogus compilation date.
|Download Tracking Reference.rar
Download Tracking Reference.exe
Once the executable file is extracted and started, the ransomware's phase of encrypting the user's files begins. Among the first operations performed is the replication of itself inside the %APPDATA% folder under the name "svchost.exe" (name of a good Windows process, used to be less recognizable and more difficult to be detected by the user).Simultaneously a .URL file is created inside the StartUp folder that points to the file just created inside %APPDATA%. In this way the ransomware is launched each time the PC is started.
Chaos Ransomware specifically targets the Downloads, Desktop, Contacts, Shortcuts, Documents, Music, and Images directories, and then goes on to fully encrypt the machine.
An interesting peculiarity of this ransomware can be seen during encryption where, unlike most ransomware, the extension that is added turns out to be a combination of 4 random alphanumeric characters and different for each file.
Another interesting feature is the method by which the encrypted file is saved: each encrypted file has, within it, two Base64-encoded sections:
- The encryption key contained in the <Encrypted Key> tags, which is itself encrypted and encoded in base64.
- The content of the file that is encrypted and encoded in base64. This begins immediately after the encryption key tag is closed.
This way even if the encrypted file extension is random, the ransomware decryptor will still be able to identify the encrypted files.
Once the encryption is complete, ransom instructions are created with the name "read_it.txt" where we find the instructions, the email address to contact the criminals, and the amount to be paid in Bitcoin.
The amount demanded by cyber criminals is 1 BTC, which at the current exchange rate is equivalent to about 26879 USD equal to about 24847 Euros.
The wallet specified for payment, on 22/05/2023, did not receive any transaction of value 1 BTC. There is only one transaction of value 0.00652666 BTC equal to 175.34 USD on 06/05/2023, an amount that was removed on the same day.
In the past week, the massive sending of MalSpam emails for the spread of the Emotet
malware, was not detected.
Find out if you are an Emotet target!
TG Soft, as reported in the information "HAVEiBeenEMOTET portal to find out whether a mailbox has been used in malspam campaigns to spread EMOTET ", has provided and maintained for over a year the HAVEiBeenEMOTET service, which is useful to check if your email addresses or domains are targeted by Emotet.
With this service you can check for free if your email addresses/domains are involved or are targets of MalSpam by Emotet.
Advanced search features and the IOC feed are available by registering and activating the API service at the link: HAVEiBeenEMOTET - API