Windows 10 News and info | Forum
August 23, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Mail Attachment Builds Ransomware Downloader from Super Mario Image  (Read 190 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 30367

I Do Windows

WWW Email
« on: February 10, 2019, 05:33:22 PM »

A malicious spreadsheet has been discovered that builds a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install malware such as the GandCrab Ransomware and other malware.

This attack works when recipients receive an email targeting people from Italy that pretends to be payment notices.

Example Spam Email click to enlarge

These emails contain an attachment with names similar to "F.DOC.2019 A 259 SPA.xls" that when opened tell the user to Enable Content in order to properly view the document.

Malicious spreadsheet attachment clcik to enlarge

Once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens.

Macro checking if computer is in Italy click to enlarge

If they are located in Italy, though, the following image of Mario is downloaded. The image below has been slightly modified so that it cannot be used for malicious purposes.

Download image of Mario

According to researchers from Bromium who analyzed this attack, after the image is downloaded the script will extract various pixels from the image to reconstruct a PowerShell command, which will then be executed.

"The above code is finding the next level of code from the blue and green channel from pixels in a small region of the image," stated Bromium's research. "The lower bits of each pixel are used as adjustments to these and yield minimal differences to the perceived image. Running this presents yet more heavily obfuscated PowerShell"

This PowerShell command will download malware from a remote site, which then downloads further malware such as the GandCrab Ransomware.

GandCrab Ransom Note click to enlarge

Steganographic attacks are not new and are being used more often to avoid detection by security programs. Just recently a malvertising campaign was discovered by Malwarebytes that was utilizing steganography to install a payload hidden in advertising (somehow I missed this and failed to alert you all, I apologize) images.

As always, it is is very important to be careful when it comes to attachments as they are a heavily used method to distribute malware. To be safe, always scan attachments you receive before you open them and be doubly suspicious if they contain macros that need to be enabled to properly view the document.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page July 13, 2019, 02:37:43 AM