Hackers Spreading Gandcrab Ransomware via Super Mario Image using Weaponized Spreadsheet
Leveraging the fear of computer viruses, cyber-attackers have found a new tactic to commit cyber-crime.
Cybercriminals are not only manipulating windows vulnerabilities but also using advanced social engineering techniques to spread Gandcrab ransomware variant which has a unique origin that makes it incredibly tough to combat.
Cyber-attackers launching Gandcrab ransomware variant using Steganography Super Mario image via weaponized Microsoft Excel documents to the compromised victim’s system.
This weaponized Excel spreadsheet build a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros.
These Excel documents contain embedded VBA macros which will trigger the malicious commands if the file is opened.
When executed, this command will download and install malware such as the GandCrab Ransomware that acts as a backdoor to other malicious threats and further installs viruses, adware, and PUPs without the user’s authorization to the infected system.
The attack came in the form of phishing emails and instant messages which are designed to appear legitimate.
The targeted emails are sent to individuals in Italy, that contain a malicious Excel document attachment with names similar to “F.DOC.2019 A 259 SPA.xls”.
The recipient of the email is then tricked into opening a malicious link in order to properly view the document, which leads to the installation of malware on the recipient’s computer.
Once the content is enabled, its embedded macros will be triggered that check the region of the computer, usually, relying on the administrative language of the operating system.
A quick look at the macros in this excel document revealed that it was coded to exit the spreadsheet immediately if the machine origin was not based in Italy (country 39):
If Application.International(xlCountrySetting) = 39 Then VKleaver = Shell#(Document, xlAccounting2 – 5) Else Application.Quit
If the user is located in Italy, the malware deploys behind the slightly modified image of Mario by extracting various pixels, eventually executing the Power shell command.
Cyber-attackers use the Gandcrab ransomware variant for their illicit purposes and it will further encrypt (lock) every single data available on your hard drive and locks down the entire system and demands money in Bitcoin or dash cryptocurrencies as a ransom for the alleged restoration of your data.
Furthermore, it allows hackers to remotely access the user’s system and steal user’s data such as ID, passwords, banking information, email addresses, and sending collected data to those remote servers from which it was downloaded which can further lead to serious financial loss or data theft.
These infections quickly spread through P2P file sharing, social clickjacking, spam emails and also comes in the form of malicious junk attachments and infected Microsoft Excel documents to infiltrate the security-vulnerable system.
Thus, every documents and file that you open or download to your PC should be scanned for infections before opening - even if you think it is from a credible source.
Conclusion
Nowadays, cybercriminals have learned to make their malware more adaptable, resilient and more damaging. The regular antivirus program cannot protect you from all cyber threats at the same time.
Thus, we need to systematically upgrade our cyber defense structures and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to prevent any intrusion in the future.
Note* - We recommend ITL Total Security and Malware crusher, among the best reputed anti-malware software which will help you to block viruses, adware and other malware on your PC.
It consists of numerous useful features like Real-Time Protection, Web Protection, Live updates, and many more to protect your system from damage and keep you safe always.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
