A web page pretending to offer an official application from PayPal is currently spreading Nemty ransomware to unsuspecting users.
It appears that the operators of this file-encrypting malware are trying various distribution channels as it was recently observed as a payload from the RIG exploit kit (EK).
Luring with cashback rewardsThe latest occurrence of Nemty was observed on a fake PayPal page that promises to return 3-5% from purchases made through the payment system.
Several clues point to the fraudulent nature of the page, which is also flagged as dangerous by major browsers, but users may still fall for the trick and proceed with downloading and running the malware, which is conveniently named 'cashback.exe'.
Security researcher
nao_sec found the new Nemty distribution channel and used
AnyRun test environment to deploy the malware and follow its activity on an infected system.
The automated analysis showed that it took about seven minutes for the ransomware to encrypt the files on the victim host. However, this may differ from one system to another.
Fortunately, the malicious executable is detected by most popular antivirus products on the market. A
scan on VirusTotal shows that it is detected by 36 out of 68 antivirus engine.
source
