Cyber Security

New Phishing Campaign Delivers Malware Combo via Excel Spreadsheets

A brand-new phishing campaign delivers a double pack of malware that combines an information-stealing threat and a ransomware payload. The info-stealing malware is LokiBot, while the payload comes in the form of the well-known Jigsaw ransomware. The attackers use this malware combination to steal saved usernames and passwords while at the same time infecting the system with the Jigsaw Ransomware to make an easy profit.

Hackers use weaponized spreadsheets to deliver malware

No particular emails that were part of the phishing campaign were found, however, security researchers came upon malicious attachments that include bank transfers,  invoices, orders, and business inquiries. 

These attachments are distributed in the form of Excel documents that have common names such as Invoice For Payment.xlsx, Swift.xlsx, Inquiry.xlsx, orders.xlsx, etc. The attackers’ main purpose is to attract users’ attention and make them open the weaponized sheets.

After analyzing the attachments, malware researchers found that they were weaponized with LCG Kit which exploited an old Microsoft Office CVE-2017-11882 remote code execution vulnerability in Equation Editor. Thanks to this vulnerability, the malware will be downloaded from a remote website and executed successfully.

When removed from the website, security researchers concluded that the file named cjjjjjjjjjjjjjjjjjjj.exe is actually LokiBot that can steal users’ credentials from web browsers and send them to the attackers.

The Second Ransomware Payload

According to security researchers, the attackers have configured the LokiBot variant to download and install the nasty Jigsaw ransomware that encrypts the victim's files and appends the .zemblax extension to their names.

Once the encryption process is completed, the malware victim is shown the ransom note of the Jigsaw ransomware variant that uses a Salvadore Dali mask as its background.

Terminate the drpbx.exe Process to Stop Jigsaw Ransomware 

If your computer has been infected with the Jigsaw ransomware variant, you may keep calm as it can be easily decrypted. Although, at the same time, you should be aware that this ransomware will occasionally delete your files until you pay the ransom. 

To keep your data safe, you have to terminate the drpbx.exe process using Task Manager so that the Jigsaw Ransomware will be shut down. 

Also, make sure that you have installed the latest updates to your Microsoft Office applications since the weaponized spreadsheets exploit an old Excel vulnerability. 

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Loading...
Back to top button