This could mark yet another reinvention for the VenusLocker group, which has mostly been focused on cryptomining this year.
The VenusLocker group appears to be back, hatching a fresh GandCrab ransomware campaign, so to speak, using the EGG niche file type. The emails with EGG attachments are meant to specifically take aim at South Korean users.
Trend Micro researchers, who first observed the offensive campaign in early August and posted about it today, noted that the attachments are being used to deliver the GandCrab v4.3 ransomware. The firm said the rash of emails uses “e-commerce violation” lures; for instance, a common subject line reads “[Fair Trade Commission] Notice of Investigation of Violation of E-Commerce Transaction” in English.
By way of background, EGG (.egg) is a compressed archive file format that would seem exotic in most places around the globe – but in South Korea it’s the default format, much akin to ZIP files in the U.S. It was developed by a South Korean company called ESTsoft in 1999, as part of its multi-format compression utility ALZip. Even now, EGG files can only be uncompressed using the ALZip tool.
“Many South Korean users might find it odd if an archived file was sent to them by a friend or colleague in an archive file format other than .EGG,”
said independent security researcher Graham Cluley.
Trend Micro researcher Donald Castillo in
a post Monday cited further evidence that the operators behind the spam are specifically going after South Korean users: The use of the specifically South Korean alphabet, Hangul, in the spam mails’ subject, body and filename attachment.
