Researchers have reverse-engineered AstraLocker 2.0 ransomware targeting users via phishing campaigns. The attackers spread the ransomware via maliciously crafted Microsoft Word documents. Once again, users must remember to avoid interacting with unsolicited emails or messages from unknown sources, especially if they include attachments.
About AstraLocker 2.0 Ransomware
In a recent report from ReversingLabs, researchers have shared a detailed analysis of the AstraLocker 2.0 ransomware. The researchers reverse-engineered the malware under distribution in the wild via phishing campaigns.
Specifically, the AstraLocker 2.0 is potent ransomware seemingly inspired by the leaked Babuk ransomware source code. The researchers established the link considering the shared code and campaign markers. Whereas they could also find a Monero wallet address used for a ransom payment linked to the Chaos ransomware.
Yet, it exhibits some unique features that hint at its “smash-and-grab” attack nature. First, the attackers don’t waste time in gaining persistence on the target device. Instead, the ransomware starts its activity right after opening the malicious attachment. Then, the attackers embedded the ransomware payload in an OLE object within the Word document. It contrasts with the usual practice of exploiting VBA macro and looks weird since this process requires user interaction which may decrease the chances of a potential infection.
But the attackers might have gained the confidence to use this obvious attack strategy due to the anti-evasion tactics. For example, the malware demonstrates the use of SafeEngine Shielden v18.104.22.168 protector for obfuscation, an outdated and difficult to reverse engineer packer. Likewise, the packer applies VM and analysis environment detection before executing the payload and hides its threads from debuggers.
After a successful device infection, AstraLocker 2.0 ransomware puts up the ransom note, which resembles Babuk’s one. It only has subtle differences, like changed Monero and Bitcoin wallet addresses and lack of contact emails for the victims.
Yet, the latter can also be detrimental for the attackers themselves since the victims would have no way to contact and get the decryptor. Ultimately, these failed decryption events would ruin the ransomware campaigns.