Malware News GandCrab Ransomware Returns with New Waves of Spam Campaigns

upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Content source
https://heimdalsecurity.com/blog/csis-alert-gandcrab-ransomware-spam-campaign/
You may be familiar with GandCrab ransomware that seems to widely spread via various spam campaigns or social engineering techniques to infect and harvest users’ most important data.This fast-growing malware has infected more than 50,000 victims and targeting mostly the ones from Scandinavia and UK speaking countries, according to a report CheckPoint.

Security researchers recently analyzed a new spam campaign in which malicious actors try to lure victims into clicking a malicious link that will open a binary file and infect users’ system with the GandCrab ransomware.

If a user clicks on the link received on the email, then he will be redirected to one of the following and compromised web pages (sanitized for your online safety):

test.ritsdb [.] com
ubsms [.] com
test.technostark [.] com
Click to expand...

Basically, the malware is spread via an executable binary file (resume.exe) which is returned after GandCrab is running on the local machine as a file called “bhxsew.exe”. During the process, the ransomware will try to collect and determine the external IP addresses of the victims via legitimate services such as:

Http: // ipv4bot.whatismyipaddress. com
Http: / /bot.whatismyipaddress. Com

The main component of GandCrab is “dropped” as a “bhxsew.exe” file in the <Windows appdata> directory. As part of the local data encryption, this malicious file is configured to communicate with the following domains:

zone alarm [.] bit
ransomware [.] bit

GandCrab ransomware is not spread only via spam emails but also seen distributed via an exploit kit campaign called MagnitudeEK which abuses software vulnerabilities found in Windows, Adobe Flash Player, and Silverlight. As regards to the MagnitudeEK spam campaign, security researchers have seen a flood of subdomains being used via this site:

lieslow [.] faith
Click to expand...
 
  • Like
Reactions: Der.Reisende, Deleted member 65228, silversurfer and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Security News Black Basta ransomware poses as IT support on Microsoft Teams to breach networks
Replies
0
Views
809
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
Malware News Meet Interlock — The new ransomware targeting FreeBSD servers
Replies
0
Views
365
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
Malware News Surge in Magniber ransomware attacks impact home users worldwide
Replies
2
Views
2,501
Security News
Jonny Quest
Jonny Quest

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top