Delaware, USA – February 11, 2019 – Another geo-targeted threat was detected being spread posing as a payment notice with a .xls attachment understandably conducing the receiver to open the attachment and to enable its content, Bromium researchers informed. Once the attachment is opened, the macro runs the country settings on the attacked system to ensure its Italy, in case the computer is configured for other regions the macro right off exits Exel. If the computer location is Italy, the malware takes its next steps to infect the system: it downloads an image of Mario and rebuilt a PowerShell script extracting data from the PNG file for the further run to download and install the GandCrab ransomware. Steganography is not a new trick to deliver malware and it’s widely used to bypass security facilities, it’s often used in malvertising campaigns, and the malicious disguise shapes up once it gets the target. Modern trends have shifted the focus from hiding malicious files in the image body to the use of highly obfuscated PowerShell commands to bypass antivirus solutions.
The GrandCrab ransomware has shown its extreme activity and developed into a popular RaaS business cooperating with other threats. Despite all attempts to cope with this malware, GandCrab now occupies one of the leading positions on the RaaS platforms market. You can use the following Threat Detection Marketplace content to detect this ever-changing threat:
GandCrab Ransomware Detector for Sysmon – https://tdm.socprime.com/tdm/info/1356/