Rewterz Threat Alert – GandCrab Malware Delivered via Malspam Campaign

Severity

High

Analysis summary

An email campaign that was identified distributing the GandCrab ransomware worldwide. The email attempts deceive a potential victim into believing that it is a legitimate message from the Center for Disease Control, stating that there is a flu outbreak. The subject line for the emails was: “Flu pandemic warning.” The infection process begins once a victim opens the attachment. It is a Microsoft Word document titled “Flu pandemic warning.doc”. It is important to note that the malware, in order to be successfully installed, requires the victim to enable macros. As is customary with other ransomware, it aims to lock a victim’s files, and demand that a ransom be paid. At this time, there is not a decryption tool available to unlock a victim’s files.

Impact

File encryption

Indicators of Compromise

Email Subject

Flu pandemic warning[.]doc

From Email

• viktoria@akk-actg[.]com
• florian@jesseandjoannabelizewedding[.]com
• niko@sf-dns[.]net
• peter@eatpraynope[.]com

MD5

• fae8e6b098eb9ecce2611f1dffc8f7b9
• 27fa5f1ef590ee5e503c3d15f210dab7

SHA-256

• a1ca75dfdcc8038650c27cbd4f7b3edc2cf5915cd75567c9bd2407ea0d099eba
• 73a994e9fa2804afceaf1286e4aba8522eb3c555b85766b03f03106118165736

SHA1

• 7971cd39eee59bf64cc2dfd7610d6f529eafd9df
• 6069666610d09085dc7926cde3d242427e67b167

URL

• https[:]//www[.]kakaocorp[.]link/static/tmp/eshe[.]png
• http[:]//www[.]kakaocorp[.]link/
• http[:]//205[.]185[.]125[.]109/samanta[.]exe

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.