Fake resume malspam delivers Sigma Ransomware

Haythem Elmir

I haven’t seen any examples of this Resume malware for a while now, so when this popped up in my spam folder, it looked interesting enough to investigate a bit more. This is a continuation from these 4 previous posts about malware using resumes or job applications as the lure. They have changed behaviour again since that post was written and it is time to once again update the details.

The primary change in delivery method is once again the use of a password for the word doc to try to bypass antivirus filters. However there does appear to be big differences in the malware itself to previous versions.

Today’s version does not appear to be using  Smoke Loader /Sharik trojan as an intermediate  downloader for other malware, which has been the previous behaviour with these fake resume emails. Instead it appears to download Sigma ransomware directly.

I have had major problems analysing these today. Either I am too stupid to work out how to insert passwords on the majority of sandbox systems or their documentation & instructions leaves something to be desired. The only way I can ever get a password protected word doc to run is to use Anyrun app which interactively allows me to insert the password, in the same way a “normal” recipient would.

Next the actual malware downloaded was so slow to download that AnyrunApp couldn’t retrieve it. it took just over 3 minutes to download directly for me

I gave up trying to insert the password  in the sandboxes so removed it from the word doc & uploaded a “fixed” copy with no password to all sandboxes except anyrun. I still couldn’t get it to run in Cape sandbox . HA and Anyrun gave the same error about “cannot locate the resource specified).

To read the original article:




Laisser un commentaire

Next Post

Not all who pay a ransom successfully recover their compromised data

A new report by the CyberEdge Group found that 55 percent of responding organizations were compromised by ransomware in 2017, down from 61 percent in 2016. How victims responded to ransomware Respondents who were victimized by ransomware and who elected to pay the ransoms were asked if they successfully recovered […]