SecuriTricks - Attack Report

External References

https://www.seqrite.com/

https://otx.alienvault.com/

Description

The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This loader employs reflective DLL loading to execute the fileless ransomware payload directly in memory, evading disk-based detection. The ransomware exhibits various malicious behaviors, such as enumerating and encrypting specific file types, terminating processes, establishing persistence, and manipulating clipboard data.

Date

Published	Created	Modified
Aug. 7, 2024, 8:32 a.m.	Aug. 7, 2024, 8:32 a.m.	Aug. 7, 2024, 8:37 a.m.

Indicators

dd78c6dc62463aba24cdbea3968cbcc1c7b97a736ef069d99d6512b10c5e91f3

afb95b1b2092020ed98312602c300f51daca14bb3d65503df3c5ca4776027987

9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb

69b6bc4db69680118781e7a9f2580738088930fa04884755f23904fa19e638e3

629587e592130b86418d17d6b8cc52b6f378f39f1b5e8caa4038cfa7120b2a53

42551531be1c5abfdd24a3465788c659a038141de61976787b0862664df95aad

https://eternal.lol/file/

Attack Patterns

Cronus Ransomware

Cronus

T1491.001

T1565.002

T1055.012

T1059.005

T1059.001

T1547.001

T1204.002

T1486

T1057

T1566.001

T1083

Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell

Tags

External References

Description

Date

Indicators

Attack Patterns