GandCrab Ransomware Discovered To Be Embedded in Super Mario Image

  • 269
  •  
  •  
  • 1
  • 1
  •  
  •  
    271
    Shares

Researchers spotted the ransomware GandCrab embedded into a downloadable Mario image from Super Mario Bros.

Matthew Rowan, a researcher at Bromium discovered the malware and identified the trends and patterns to be of an older method, steganography. This form of malware tends to use obfuscated Microsoft PowerShell commands. Similarly, the hacker uses a PowerShell command in this campaign. The targeted emails are sent to individuals in Italy, with an excel document attached. Labelled, “F.DOC.2019 A 259 SPA.xls” it also contains a Macro. The document prompts users to click ‘enable content,’ effectively deploying the malware. The malware firstly checks the region, usually, relying on the administrative language of the operating system. Here the coding used to determine this consisted of using IF statement with country 39, which was Italy. If the device is not based in Italy, then it will not deploy.

If the user is based in Italy, the malware deploys behind an image of Mario by extracting various pixels, eventually executing the PowerShell command. A GandCrab ransom note then warns of corruption to files if not adhered to. It requires users to download and access the hacker via the dark web, gandcrabmfe6mnef, to retrieve their files, databases and photos.

The Ransomware’s pattern

Steganographic attacks are slowly coming back in trend as a tactic to avoid detection by security programmes. This is as its harder for firewalls, for example, to pick up the threat, allowing it to continue deploying undetected. GandCrab malware, on the other hand, rose rapidly in use last year, especially within the banking field. In the same week, the deployment of two different forms of GandCrab took place. The second instance used a .js file inside a zip, password protected as the initial vector. Users were required to enter the password, “invoice123.” To read more on recent attacks of this sort, check out, “Malware Distribution sites taken down across the world.”

The researchers were unable to identify where the malware originated from.

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Latest posts by Unallocated Author (see all)

Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!