Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

Aug. 7, 2024, 8:37 a.m.

Description

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This loader employs reflective DLL loading to execute the fileless ransomware payload directly in memory, evading disk-based detection. The ransomware exhibits various malicious behaviors, such as enumerating and encrypting specific file types, terminating processes, establishing persistence, and manipulating clipboard data.

Date

Published: Aug. 7, 2024, 8:32 a.m.

Created: Aug. 7, 2024, 8:32 a.m.

Modified: Aug. 7, 2024, 8:37 a.m.

Indicators

dd78c6dc62463aba24cdbea3968cbcc1c7b97a736ef069d99d6512b10c5e91f3

afb95b1b2092020ed98312602c300f51daca14bb3d65503df3c5ca4776027987

9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb

69b6bc4db69680118781e7a9f2580738088930fa04884755f23904fa19e638e3

629587e592130b86418d17d6b8cc52b6f378f39f1b5e8caa4038cfa7120b2a53

42551531be1c5abfdd24a3465788c659a038141de61976787b0862664df95aad

https://eternal.lol/file/

eternal.lol

Attack Patterns

Cronus Ransomware

Cronus

T1491.001

T1565.002

T1055.012

T1059.005

T1059.001

T1547.001

T1204.002

T1486

T1057

T1566.001

T1083