A brand-new phishing campaign delivers a double pack of malware that combines an information-stealing threat and a ransomware payload. The info-stealing malware is LokiBot, while the payload comes in the form of the well-known Jigsaw ransomware. The attackers use this malware combination to steal saved usernames and passwords while at the same time infecting the system with the Jigsaw Ransomware to make an easy profit.
Hackers use weaponized spreadsheets to deliver malware
No particular emails that were part of the phishing campaign were found, however, security researchers came upon malicious attachments that include bank transfers, invoices, orders, and business inquiries.
These attachments are distributed in the form of Excel documents that have common names such as Invoice For Payment.xlsx, Swift.xlsx, Inquiry.xlsx, orders.xlsx, etc. The attackers’ main purpose is to attract users’ attention and make them open the weaponized sheets.
After analyzing the attachments, malware researchers found that they were weaponized with LCG Kit which exploited an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor. Thanks to this vulnerability, the malware will be downloaded from a remote website and executed successfully.
When removed from the website, security researchers concluded that the file named cjjjjjjjjjjjjjjjjjjj.exe is actually LokiBot that can steal users’ credentials from web browsers and send them to the attackers.
The Second Ransomware Payload
According to security researchers, the attackers have configured the LokiBot variant to download and install the nasty Jigsaw ransomware that encrypts the victim's files and appends the .zemblax extension to their names.
Once the encryption process is completed, the malware victim is shown the ransom note of the Jigsaw ransomware variant that uses a Salvadore Dali mask as its background.
Terminate the drpbx.exe Process to Stop Jigsaw Ransomware
If your computer has been infected with the Jigsaw ransomware variant, you may keep calm as it can be easily decrypted. Although, at the same time, you should be aware that this ransomware will occasionally delete your files until you pay the ransom.
To keep your data safe, you have to terminate the drpbx.exe process using Task Manager so that the Jigsaw Ransomware will be shut down.
Also, make sure that you have installed the latest updates to your Microsoft Office applications since the weaponized spreadsheets exploit an old Excel vulnerability.