2018-05-09 - SIGMA RANSOMWARE FROM MALSPAM USING PASSWORD-PROTECTED WORD DOCS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the spreadsheet tracker:  2018-05-09-Sigma-ransomware-malspam-tracker.csv.zip   1.6 kB (1,639 bytes)
• Zip archive of the infection traffic:  2018-05-09-Sigma-ransomware-infection-traffic.pcap.zip   21.9 MB (21,886,750 bytes)
• Zip archive of the emails, malware & artifacts:  2018-05-09-Sigma-ransomware-emails-malware-and-artifacts.zip   4.6 MB (4,593,485 bytes)

 

NOTES:

• This is a somewhat quick post, without any IOCs in the write-up. If needed, you can review the spreadsheet, traffic and malware archives for more info.
• I've written two ISC diaries on this particular malspam campaign:

• 2018-03-14 - Malspam pushing Sigma ransomware
• 2018-04-20 - Malspam pushing ransomware using two layers of password protection to avoid detection

Shown above:  What I saw today from malspam sent by this campaign.

 

IMAGES

Shown above:  Screenshot of the spreadsheet (part 1 of 2).

 

Shown above:  Screenshot of the spreadsheet (part 2 of 2).

 

Shown above:  Screenshot of an email from this campaign on 2018-04-30.

 

Shown above:  Screenshot of an email from this campaign on 2018-05-04.

 

Shown above:  Screenshot of an email from this campaign today on 2018-05-09.

 

Shown above:  Attached Word documents are password-protected.

 

Shown above:  After entering the password, enabling macros will infected a vulnerable Windows host.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Background image for the desktop of my infected Windows host.

 

Shown above:  Going to the Sigma ransomware decryptor using a Tor browser.

 

Shown above:  The Sigma ransomware decryptor page.

 

Click here to return to the main page.