A new ransomware strain called Spider is targeting victims located in the Balkans in what is called a “mid-scale” campaign.
The Spider ransomware is unique in that attackers are given a 96-hour deadline to pay. Attackers also attempt to calm victims, assuring them the ransom payment and file recovery process will be “really easy.” Attackers go one step further and provide a link to a video tutorial on how the Spider ransomware payment and file recovery process works.
The campaign was first spotted on Dec. 10 by Netskope Threat Research labs who shared its finding in a blog post Tuesday.
Victims are targeted with malicious Office documents sent as attachments as part of an email phishing campaign with the subject line reading “Debt Collection”, according to Google Translate of the Bosnian-language phrase”Potrazivanje dugovanja”.
“These attachments are auto-synced to the enterprise cloud storage and collaborations apps. Netskope Threat Protection detects the decoy document as ‘VB:Trojan.VBA.Agent.QP’ and the downloaded payload as ‘Trojan.GenericKD.12668779’ and ‘Trojan.GenericKD.6290916,'” wrote Netskope researchers.
The malicious Office documents are written in the Bosnian language and contain obfuscated code, according to researchers. If the malicious code is executed a Windows PowerShell launches with instructions to download a malicious Base64 encoded payload hosted on YourJavaScript.com, a free hosting site.
“After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key ‘AlberTI’ to decode the final payloads, which is later saved into executable (.exe) files,” researchers wrote. “The decoded payloads named ‘dec.exe’ and ‘enc.exe’ compiled in .NET are copied to the ‘%APPDATA% /Spider’ directory.”
According to Netskope binary “enc.exe” is the ransomware encryptor and “dec.exe” is the decryptor. The encryptor (enc.exe) encrypts the user’s files using AES encryption and adds the “.spider” extension to encrypted files.
Once files are encrypted the ransomware note is displayed warning that the victim only has 96 hours to pay the ransom in bitcoin to obtain a key to unencrypt a files. “You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted… do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC,” according to the note.
Attackers also walk victims through the payment process, from how to use the Tor Browser and how to obtain a bitcoin for payment. If victims are still confused, the ransomware provides a link to video hosted on a video sharing service that offers a tutorial.
“The video provides instructions to decrypt victims files. We suspect that the video was most likely uploaded by the threat actor group of Spider,” researchers wrote.
Netscope’s Amit Malik, author of the post, said to avoid Spider, or other ransomware attacks, users should disable macros by default and not execute unsigned macros from untrusted sources. “We continue to see an increase of decoy Office documents as an attack vector in spreading ransomware like GlobeImposter tied to several active and ongoing campaigns,” he said.