LASER_oneXM

Level 33
Verified
A malspam campaign targeting potential German victims is actively distributing Sodinokibi ransomware via spam emails disguised as foreclosure notifications with malicious attachments which pose as foreclosure notifications.

By using "Ankündigung der Zwangsvollstreckung" as the subject line — which translates to "Announcement of foreclosure" — the attackers are trying to trick their targets into reacting to the bait without thinking and to open the infected attachments.

After asking the victim to enable macros to get access to the document's content, the malicious attachment named Mahnbescheid - Antwortbogen - Aktenzeichen 4650969334.doc will download the Sodinokibi Ransomware to %Temp%\Microsoft-Word.exe using an obfuscated VBA-based macro.