ASEC analysis team has confirmed the malware under the disguise of a resume is still being distributed. This time, it disguised as resume and copyright-related files. The file that is being recently distributed also takes the form of NSIS (Nullsoft Scriptable Install System) and is being distributed under various filenames as translated below.
- Outline on the original image (the image I created) and the image you are currently using.exe
- You have violated copyright laws and here is the summary of violations.exe
- Contains my work experience, I am looking forward to working with you).exe
- Resume (Also contains my work experience, I am looking forward to working with you).exe
- Portfolio_210222 (Please check my work experience as well thank you).exe
- Resume_210222 (Please check my work experience as well thank you).exe
One of the disguised emails regarding copyright violation had a compressed attachment files within which there exists a compressed file named ‘Copyright violation.alz,’ and it contains two executable files with the same hash.
These files are the variant of previously distributed Makop ransomware. When executed, files get encrypted with extension [Serial Number].[email@example.com].vassago added. The ransomware uses the following commands to delete shadow copy and proceeds with encryption.
|vssadmin delete shadows /all /quiet|
wbadmin delete catalog -quiet
wmic shadowcopy delete
Files and folders that are excluded from infection are as follows:
|windows, winnt, \system32, Users\Public, RECYCLER;$RECYCLE.BIN, etc.|
|boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, readme-warning.txt, desktop.ini|
|Makop, CARLOS, shootlock, shootlock2, 1recoesufV8Sv6g, 1recocr8M4YJskJ7, btc;KJHslgjkjdfg, origami, tomas, RAGA, zbw, fireee, XXX, element, HELP, zes, lockbit, captcha, gunga, fair, SOS, Boss, moloch, vassago, exe, dll|
After file encryption, the following extension and ransom notes are added:
The malware disguised as resume, recently being distributed, has three files attached to the mail as below.
The second file is in jpg extension, but this file is actually an exe file, Uninstall file of a normal program.
These executable files disguised as PDF file and WORD file icons are malware of different types and the first file is the same ransomware as malware related to copyright violation mail mentioned above.
However, the third exe file is an info-leaking malware which is a different type of malware. This means that such an email is still being distributed, but this case shows that the attacker is attempting various attacks by attaching malware of different types to a single email.
When the file is executed, it self-copies into %AppData%\Roaming\EdgeCP folder with filename MicrosoftEdgeCPS.exe, and creates MicrosoftEdgeCPS.lnk file into %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder so that the malware can run continuously.
Afterward, it performs the WMI query below and sends screen capture, user PC info, network info, and browser info to C2 (hxxp://eastwest7070.at/ps/gate.php).
|wmic /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List|
wmic os get caption /FORMAT:List
wmic path win32_VideoController get caption /FORMAT:List
wmic path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
wmic LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
wmic path win32_PingStatus where address=’eastwest7070.at’ get StatusCode /FORMAT:List
wmic path win32_PingStatus where address=’eastwest7070.at’ get ResponseTime /FORMAT:List
Since malware disguised as resume and portfolio has been and is being actively distributed, users must refrain from opening emails from unknown sources and running attachment files. And as malicious executable files are disguised as ordinary file icons (PDF, Word, etc.), users must be mindful of filename extensions.
AhnLab’s anti-malware software V3 detects and blocks the malware using the aliases below.