Distribution of Malware via Resume/Copyright-Related Emails (Ransomware, Infostealer)

ASEC analysis team has confirmed the malware under the disguise of a resume is still being distributed. This time, it disguised as resume and copyright-related files. The file that is being recently distributed also takes the form of NSIS (Nullsoft Scriptable Install System) and is being distributed under various filenames as translated below.

  • Outline on the original image (the image I created) and the image you are currently using.exe
  • You have violated copyright laws and here is the summary of violations.exe
  • Contains my work experience, I am looking forward to working with you).exe
  • Resume (Also contains my work experience, I am looking forward to working with you).exe
  • Portfolio_210222 (Please check my work experience as well thank you).exe
  • Resume_210222 (Please check my work experience as well thank you).exe

One of the disguised emails regarding copyright violation had a compressed attachment files within which there exists a compressed file named ‘Copyright violation.alz,’ and it contains two executable files with the same hash.

Files in compressed file

These files are the variant of previously distributed Makop ransomware. When executed, files get encrypted with extension [Serial Number].[vassago0213@airmail.cc].vassago added. The ransomware uses the following commands to delete shadow copy and proceeds with encryption.

vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet
wmic shadowcopy delete
Execution Command

Files and folders that are excluded from infection are as follows:

windows, winnt, \system32, Users\Public, RECYCLER;$RECYCLE.BIN, etc.
Infection Exception Folder
boot.ini, bootfont.bin, ntldr, ntdetect.com, io.sys, readme-warning.txt, desktop.ini
Infection Exception File
Makop, CARLOS, shootlock, shootlock2, 1recoesufV8Sv6g, 1recocr8M4YJskJ7, btc;KJHslgjkjdfg, origami, tomas, RAGA, zbw, fireee, XXX, element, HELP, zes, lockbit, captcha, gunga, fair, SOS, Boss, moloch, vassago, exe, dll
Infection exception extensions

After file encryption, the following extension and ransom notes are added:

Encrypted files
Ransom note

The malware disguised as resume, recently being distributed, has three files attached to the mail as below.

Files inside the compressed file

The second file is in jpg extension, but this file is actually an exe file, Uninstall file of a normal program.

These executable files disguised as PDF file and WORD file icons are malware of different types and the first file is the same ransomware as malware related to copyright violation mail mentioned above.

However, the third exe file is an info-leaking malware which is a different type of malware. This means that such an email is still being distributed, but this case shows that the attacker is attempting various attacks by attaching malware of different types to a single email.

When the file is executed, it self-copies into %AppData%\Roaming\EdgeCP folder with filename MicrosoftEdgeCPS.exe, and creates MicrosoftEdgeCPS.lnk file into %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder so that the malware can run continuously.

Afterward, it performs the WMI query below and sends screen capture, user PC info, network info, and browser info to C2 (hxxp://eastwest7070.at/ps/gate.php).

wmic /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
wmic os get caption /FORMAT:List
wmic path win32_VideoController get caption /FORMAT:List
wmic path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
wmic LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
wmic path win32_PingStatus where address=’eastwest7070.at’ get StatusCode /FORMAT:List
wmic path win32_PingStatus where address=’eastwest7070.at’ get ResponseTime /FORMAT:List
WMI Query

Since malware disguised as resume and portfolio has been and is being actively distributed, users must refrain from opening emails from unknown sources and running attachment files. And as malicious executable files are disguised as ordinary file icons (PDF, Word, etc.), users must be mindful of filename extensions.

AhnLab’s anti-malware software V3 detects and blocks the malware using the aliases below.

[File Detection]
Malware/Win32.Generic.C4339696
Trojan/Win32.MakopRasom.R365756
Trojan/Win32.Agent.C4327635

[Behavior Detection]
Malware/MDP.SystemManipulation.M2255

[IOC Info]
a44dd48695af7a64607ff464a194642f
5c02cb26de796b4eb98d860530e9b7b5
69284ff2194fb4d10ff791a87d25e84d
hxxp://eastwest7070.at/ps/gate.php

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments