A new malware version with functions that allow it to steal email addresses and addresses as well as to spread on its own to the victim’s email contacts is now hitting Russian-speaking countries.
Also written in a batch file, this malware uses multiple freely available tools to fulfill its mission, said researchers at security firm, Avast.
It all starts with a Word document that goes out via email, which says it has a change in the terms of agreement of a service that needs reviewing before signing.
As mentioned, this attack is now in Russian-speaking countries, but it surely won’t be long before it starts to spread.
Avast researchers Jaromir Horejsi and Honza Zika analyzed the threat and found all malicious actions came from a BAT file.
To mask the process of encrypting the files (XLS, XLSX, DOC, DOCX, XLSM, DWG, SVG, MDB, PDF, ZIP, RAR, and JPG being among them) on the disk, the Word document display shows gibberish characters. The reason for that is its developers created it with a newer version of Microsoft’s Word processor.
Behind the scenes the data ends up locked with RSA 1024-bit algorithm, and relies on public-key cryptography that involves a public key encrypting the data, and a private one for decrypting it, which goes to the attacker in this case.
A ransom message displays, demanding the victim to pay $185 for the private key that unlocks the files, and send two files (UNIQUE.PRIVATE and KEY.PRIVATE.) to an email address (email@example.com) controlled by the cybercriminals.
These items are for identifying the information encrypted and its location on the disk, and for providing the decryption key.
In order to spread to as many victims as possible, this malware steals email credentials from the browser, pulls the sender information from the freshest 100 emails and delivers them a custom message, with the downloader hidden in an attachment.
The email usernames and passwords also go out to the attacker and then tested on webmail services common in Russia: Mail.ru and Yandex.
The 100 messages downloaded from the victim’s inbox end up filtered, and then it eliminates the ones received.
“The virus now has a fake email with a malicious link, addresses to send it to, and the email address and password of the sender. In other words, everything it needs to propagate. Propagation is achieved using program Blat renamed as spoolsv.btc,” the researchers said in a blog post.
This is not a typical ransomware, as it leverages free software like GPG (for encryption), Email Extractor, Browser Password Dump (for retrieving passcodes stored in the web browser) and Blat (for sending email).