Researchers spotted the ransomware GandCrab embedded into a downloadable Mario image from Super Mario Bros.
Matthew Rowan, a researcher at Bromium discovered the malware and identified the trends and patterns to be of an older method, steganography. This form of malware tends to use obfuscated Microsoft PowerShell commands. Similarly, the hacker uses a PowerShell command in this campaign. The targeted emails are sent to individuals in Italy, with an excel document attached. Labelled, “F.DOC.2019 A 259 SPA.xls” it also contains a Macro. The document prompts users to click ‘enable content,’ effectively deploying the malware. The malware firstly checks the region, usually, relying on the administrative language of the operating system. Here the coding used to determine this consisted of using IF statement with country 39, which was Italy. If the device is not based in Italy, then it will not deploy.
If the user is based in Italy, the malware deploys behind an image of Mario by extracting various pixels, eventually executing the PowerShell command. A GandCrab ransom note then warns of corruption to files if not adhered to. It requires users to download and access the hacker via the dark web, gandcrabmfe6mnef, to retrieve their files, databases and photos.
The Ransomware’s pattern
Steganographic attacks are slowly coming back in trend as a tactic to avoid detection by security programmes. This is as its harder for firewalls, for example, to pick up the threat, allowing it to continue deploying undetected. GandCrab malware, on the other hand, rose rapidly in use last year, especially within the banking field. In the same week, the deployment of two different forms of GandCrab took place. The second instance used a .js file inside a zip, password protected as the initial vector. Users were required to enter the password, “invoice123.” To read more on recent attacks of this sort, check out, “Malware Distribution sites taken down across the world.”
The researchers were unable to identify where the malware originated from.