ASEC analysis team has recently discovered ransomware disguised as job application being distributed via e-mail. It appears that the attacker is targeting recruitment managers of various companies amidst the recruitment season of the first half of the year. Hence, recruiters must pay particular attention when managing their e-mail accounts.
The distributed e-mails had titles with names which can be perceived as the applicant’s name, and compressed attachments. The names of the distributed files are as follows:
● ResumeandPortfolio_210412 (If you hire me I will give my best).exe
● JobApplication_210412 (If you hire me I will give my best).exe
The attacker had set a decompression password to bypass the e-mail security system, and the password is included in the attachment file name. Once decompressed, the two following files appear.
Files above are executable files (EXE) disguised as Excel files, and they are identical files with different file names. When either of the files is run, file encryption takes place without any notification message whatsoever, and the filename and extension change as shown below.
[Change of Filename and Extension]
● Before Change: A.pdf
● After Change: A.pdf.[8 random characters].[pecunia0318@airmail.cc].pecunia
And for each encrypted folder, readme-warning.txt ransom note file is created, and the ransom note reads as follows:
The file extension that is added after the ransomware’s encryption of files is ‘Pecunia,’ but considering its distribution method, content of ransom note, and how the filename changes after encryption, it is identical to Makop ransomware. Therefore, the team assumes that this malware is of same type with Makop ransomware (Makop ransomware uses ‘makop’ string as the extension that is added post-encryption). Users must remain vigilant to avoid infection as the attacker of the Makop ransomware has been using this method to distribute regularly over the past 1 year.
E-mails of unknown source and their attachment files must be opened with caution, and even if the icon of the attachment file is that of a document file’s, the users must check the file extension before opening the file. If the extension is .exe, then the user must not open/run the file.
V3 detects and blocks the malware using the aliases below:
[File Detection]
Trojan/Win.Ransomlock.C4413210
[Behavior Detection]
Malware/MDP.Behavior.M3635
Malware/MDP.SystemManipulation.M2255
Malware/MDP.Ransom.M1214
[IOC Info]
9d7fc15c4593c51d3ce0d97f425602c6
Categories:Malware Information