New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway

LASER_oneXM

Level 26
Content Creator
Joined
Feb 4, 2016
Messages
1,534
OS
Windows 8.1
Antivirus
Kaspersky
#1
A new malspam campaign is underway that is distributing a GlobeImposter variant that appends the ..doc extension to encrypted files. This malspam is pretending to photos being sent to the recipient and will have a subject line that starts in a similar way to "Emailing: IMG_20171221_".


GlobeImposter MalSpam
These malspam emails contain7zip (.7z) archive attachments that are named after a camera photo's filename such as IMG_[date]_[number]. These 7z files contain a obfuscated .js file that when double-clicked on will cause the GlobeImposter ransomware to be downloaded from a remote site and executed.
Unfortunately, at this time there is no way to decrypt GlobeImposter files for free. For support or help with this ransomware infection, you can ask in our dedicated GlobeImposter Ransomware Support topic.
 
Joined
Nov 5, 2011
Messages
4,223
#2
This is ancient story ( from April-July 2017): GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html ) - Ransomware Help & Tech Support
This ancient (so not new) story on Bleepingcomputer.com article are with recent date... so "News articleware imposter" - by omission?.. on Bleepingcomputer.com...

For decryption, look eg. Malwarebytes blog read: Ransom.GlobeImposter: Ransom.GlobeImposter - Malwarebytes Labs
"GlobeImposter, also known as Fake Globe, mimics the Globe ransomware variant. It is distributed through a malicious spam campaign, recognizable only with their lack of message content and an attached ZIP file. This type of spam is called a “blank slate.” GlobeImposter is also distributed via exploits and malicious advertising, fake updates, and repacked infected installers."

"Remediation

Malwarebytes users are already protected against the GlobeImposter ransomware."

EDIT:
On MT we have some ancient topics about this GlobeImposter ransomware.
- or maybe exist a few diverse distributions of GlobeImposter ransomware?
 
Last edited: