Researchers have reverse-engineered AstraLocker 2.0 ransomware focusing on customers by way of phishing campaigns. The attackers unfold the ransomware by way of maliciously crafted Microsoft Phrase paperwork. As soon as once more, customers should keep in mind to keep away from interacting with unsolicited emails or messages from unknown sources, particularly in the event that they embrace attachments.
About AstraLocker 2.0 Ransomware
In a latest report from ReversingLabs, researchers have shared an in depth evaluation of the AstraLocker 2.0 ransomware. The researchers reverse-engineered the malware underneath distribution within the wild by way of phishing campaigns.
Particularly, the AstraLocker 2.0 is potent ransomware seemingly impressed by the leaked Babuk ransomware supply code. The researchers established the hyperlink contemplating the shared code and marketing campaign markers. Whereas they may additionally discover a Monero pockets deal with used for a ransom fee linked to the Chaos ransomware.
But, it displays some distinctive options that trace at its “smash-and-grab” assault nature. First, the attackers don’t waste time in gaining persistence on the goal system. As a substitute, the ransomware begins its exercise proper after opening the malicious attachment. Then, the attackers embedded the ransomware payload in an OLE object throughout the Phrase doc. It contrasts with the same old apply of exploiting VBA macro and appears bizarre since this course of requires person interplay which can lower the probabilities of a possible an infection.
However the attackers may need gained the arrogance to make use of this apparent assault technique as a result of anti-evasion techniques. For instance, the malware demonstrates using SafeEngine Shielden v2.4.0.0 protector for obfuscation, an outdated and tough to reverse engineer packer. Likewise, the packer applies VM and evaluation surroundings detection earlier than executing the payload and hides its threads from debuggers.
After a profitable system an infection, AstraLocker 2.0 ransomware places up the ransom word, which resembles Babuk’s one. It solely has refined variations, like modified Monero and Bitcoin pockets addresses and lack of contact emails for the victims.
But, the latter can be detrimental for the attackers themselves because the victims would haven’t any option to contact and get the decryptor. Finally, these failed decryption occasions would wreck the ransomware campaigns.
