March 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – New Linux coin miner kills competing malware to maximize profits
February 11, 2019Rewterz Threat Alert – Trickbot Banking Trojan hits North American Banks
February 12, 2019Rewterz Threat Alert – New Linux coin miner kills competing malware to maximize profits
February 11, 2019Rewterz Threat Alert – Trickbot Banking Trojan hits North American Banks
February 12, 2019
Severity
Medium
Category
Cyber Crime
Analysis Summary
Experts have discovered an apparently benign Mario graphic package that uses steganography to conceal the malicious code for GrandCrab ransomware. The campaign is being run in Italy at the moment but experts believe that it’s soon going to spread to other countries as well. Initially, targets receive an excel sheet via email that won’t open online and requires the user to enable edit and enable content. Once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens. Otherwise, a Mario image is downloaded as shown below:
The image hides malicious code using steganography, in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of blue and green pixels. This technique makes the threat hard to be detected by firewall and other defense systems. Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.
When the malware detonates, the usual macro-based launch of cmd.exe and PowerShell with obfuscated arguments is seen.
The decoded image looks like this:
Another large string (base64 encoded) is then observed which is sliced/diced into 40 parts. This can be reassembled:
As researchers further analyzed the codes, multiple layers of still more mildly obfuscated PowerShell were found.
On successful infection by the GrandCrab ransomware, files on the targeted machine are encrypted and the following ransom note is found on the device.
Impact
Ransomware infection
Files encryption
Indicators of Compromise
Filename
F.DOC.2019A259SPA.xls
cmd.exe
Malware Hash (MD5/SHA1/SH256)
3849381059d9e8bbcc59c253d2cbe1c92f7e1f1992b752d396e349892f2bb0e7 2726cd6796774521d03a5f949e10707424800882955686c886d944d2b2a61e0 0c8c27f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362 ec2a7e8da04bc4e60652d6f7cc2d41ec68ff900d39fc244cc3b5a29c42acb7a4 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f
Remediation
Block the threat indicators at their respective controls.
Strictly avoid downloading and opening document files received via unexpected emails.