- Apr 24, 2016
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.
This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.
According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.
Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.
The lure used by the operators of AstraLocker 2.0 is a Microsoft Word document that hides an OLE object with the ransomware payload. The embedded executable uses the filename “WordDocumentDOC.exe”.
To execute the payload, the user needs to click “Run” on the warning dialog that appears upon opening the document, further reducing the chances of success for the threat actors.
This bulk approach is in line with Astra’s overall “smash-n-grab” tactic, choosing OLE objects instead of VBA macros that are more common in malware distribution.
Another peculiar choice is the use of SafeEngine Shielder v220.127.116.11 to pack the executable, which is such an old and outdated packer that reverse engineering is almost impossible.
After an anti-analysis check to ensure that the ransomware isn’t running in a virtual machine and that no debuggers are loaded in other active processes, the malware prepares the system for encryption using the Curve25519 algorithm.
The preparation includes killing processes that could jeopardize the encryption, deleting volume shadow copies that could make restoration easier for the victim, and stopping a list of backup and AV services. The Recycle Bin is simply emptied instead of encrypting its contents.