A new version of the AstraLocker ransomware has been observed being distributed directly from Microsoft Office files sent via phishing emails, an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout, or what they call a “smash and grab” approach.
The AstraLocker ransomware was first identified in 2021 and is a fork of the Babuk ransomware-as-a-service, which also appeared in early 2021. The latest version of AstraLocker, meanwhile, was first observed in March. Researchers said AstraLocker attacks are unique in that the ransomware is deployed to victims at a very early stage of the attack, immediately after the target opens the malicious file attachment on the phishing email, rather than the “low and slow” methodology that is common among sophisticated ransomware groups.
“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” said Joseph Edwards, senior malware researcher with ReversingLabs, in a Tuesday analysis. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Microsoft Entra ID) to deploy a group policy object and encrypt all hosts in the affected domains.”
The new ransomware version uses an outdated packer with an aim to make reverse engineering difficult; the packer injects indirect jumps every five to seven instructions in order to obfuscate the program’s control flow, said Edwards.
It also takes several steps to evade detection, including checking whether it is running on a virtual machine, checking the names of open windows to determine if malware analysis tools are being run and checking running processes to see if it is in an analysis environment. After it is unpacked, the ransomware attempts to disable back-up and anti-malware endpoint security tools, kill any applications that are known to block data encryption and delete volume shadow copies, technology included that can create backup copies of files or volumes.
“What this attack makes clear is that the leak of the Babuk source code and builders in 2021 permits cybercriminals of any sophistication to launch their own operations, simply by making small modifications to the existing Babuk code."
The ransomware’s attack vector comes with some potential weak spots, as executing the ransomware actually takes a substantial amount of user interaction. After opening the malicious Word document attached to the email, the target is asked to take several additional clicks (including clicking an icon in the document and consenting to running an embedded executable) to activate the embedded ransomware, which is stored in an OLE object.
“Needless to say: requiring so much user interaction increases the chances that victims will think twice about what they’re doing,” said Edwards. “That’s one reason OLE objects see less use in malware delivery, as opposed to the more popular VBA macro infection method, which only requires the user to enable macros in order to execute.”
The ransomware finally displays a ransom note that includes Monero and Bitcoin wallet addresses for payment. The ransomware variant’s wallet addresses are different from those used by earlier versions of the malware and in the Babuk ransomware.
The new variant also omits a working email address for contacting the threat actors in the ransom note, which means the threat actor has no means of issuing the decryptor to victims even if the ransom is paid, said researchers. Researchers believe that this is a mistake and that it reflects one drawback to the “smash and grab” approach in this attack; though AstraLocker 2.0 attackers have been able to shorten the time of attack, “it is easy for attackers launching such hasty efforts to make mistakes,” said Edwards.
Researchers said that the threat actor responsible for this recent campaign likely obtained builders for the AstraLocker 2.0 ransomware due to the Babuk source code being stolen and leaked on a Russian hacking forum in September. That means in addition to a quicker timeframe for attacks, the actors also do not need to make big investments in order to infect victims.
“What this attack makes clear is that the leak of the Babuk source code and builders in 2021 permits cybercriminals of any sophistication to launch their own operations, simply by making small modifications to the existing Babuk code,” said Edwards. “That is what we observe with the AstraLocker 2.0 malware.”