Pishing campaigns distribute dangerous ransomware

Commonly known ransomware viruses are widely distributed through spam emails

Pishing campaigns distribute dangerous ransomwareCrooks drop spam emails which include malicious files that, once opened, launch the damaging content straight into the machine.

According to IT researchers, various widely known ransomware-type viruses are being spread through a malspam campaign. Such cyber threats are Hermes 2.1, GandCrab4.3, and AZORult Trojan. These ransomware viruses launched very widely in the past and have affected numerous users by encrypting valuable documents on the infected computer and in some cases even stealing personal information.

In February this year, Hermes 2.1. virus was spread through a South Korean web page that got infected by the ransomware. Furthermore, the Gandcrab v4.3 virus targets South Korean people as the phishing messages that are sent by cybercriminals to their victims are written in the Korean language. Sadly, crooks now also are attacking English-speaking computer users by tricking them with malicious spam emails and secretly injecting hazardous content.

Pishing message announces about a questionable payment which reaches $12 340 USD

Recently, IT experts are warning numerous users about the developing spam campaigns. Some malicious emails come announcing about a shocking payment which is $12 340 USD and the transferring process should be performed until the 20th of August. Users are urged to check the attachment which is called an invoice and comes as a Microsoft Word document.

You can see the message which announces about the confusing payment which, however, is a way to distribute Hermes 2.1 ransomware and the AZORult Trojan:

This is to inform you that there is still an outstanding payment of USD 12,340. We would appreciate it if this could be settled no later than the 20th.

I have attached the current invoice and the password for the document is: 1234

Thank you.
Federico Crowley

The maliciousness of the file cannot be discovered as the dubious attachment is protected with strong passwords that prevent all computer security software from detecting the damaging content. Once the convinced user steps on the malicious file and opens it, the infection launches straightly into the computer system and the virus begins its malicious activity. Files named azo.exe and hrms.exe are downloaded straight to the system. These components run Hermes 2.1 and AZORult and infect the machine

Gandcrab 4.3 is also targetting Korean people

Furthermore, another dangerous ransomware called Gandcrab 4.3 is targetting Korean users by sending spam messages to their email boxes. This virus is a version of the Gandcrab ransomware which also launched loudly throughout many countries. Pishing messages come legitimate-looking and claim to be from the Fair Trade Commission. The content is written in Korean language and announces about a particular violation investigation in the commercial sphere.

The spam message includes a dangerous file which is named .egg. Moreover, there are two shortcuts of LNK_GRANDCRAB.E and one executable which is named VenusLocker_korean.exe that vanishes after it its launched. Such content is sent to inject malware straightly into victims' computers. If the user opens the dangerous .egg file, his/her machine gets infected with Gandcrab v4.3 and the file encryption process begins immediately

About the author
Julie Splinters
Julie Splinters - Spyware and malware removal expert

Contact Julie Splinters
About the company Esolutions

Read in another language