Matrix Ransomware Spreads to Other PCs Using Malicious Shortcuts

Solarquest

Moderator
Staff member
AV-Tester
Joined
Jul 22, 2014
Messages
1,940
#1
Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, has recently started seeing the EITest campaign use the RIG exploit kit to distribute the Matrix ransomware. While Matrix has been out for quite some time, it was never a major player in terms of wide spread distribution.
Now that it is being distributed via a large campaign and an exploit kit, it was time to take a deeper dive into this ransomware to see what features it has. What was found is interesting as Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts and uploads stats about the types of files that are encrypted.

Matrix Distributed using Exploit Kits
When the Matrix Ransomware was first spotted around December 2016 it did not have a wide distribution compared to ransomware infections like Cerber or Spora Ransomware. Now that Matrix is being distributed using the RIG exploit via the EITest campaign it can become a real game changer.

According to Brad Duncan, Matrix is distributed via hacked sites that have the EITest scripts injected into them. When a visitor goes to one of these hacked sites, depending on various criteria, Brad has seen EITest injecting either the "The "HoeflerText" font wasn't found" attack, which is distributing the Spora Ransomware, or the RIG exploit kit, which is now distributing Matrix.

You can see the source code of a hacked site with the injected RIG iframe below.
....