2018-10-26 - MALSPAM WITH PASSWORD-PROTECTED WORD DOCS NOW PUSHING GLOBEIMPOSTER RANSOMWARE
- Email: 2018-10-24-password-protected-Word-doc-malspam-0221-UTC.eml.zip 33 kB (33,306 bytes)
- 2018-10-24-password-protected-Word-doc-malspam-0221-UTC.eml (57,031 bytes)
- Traffic: 2018-10-26-GlobeImposter-ransomware-from-password-protected-Word-doc-malspam.pcap.zip 346 kB (346,058 bytes)
- 2018-10-26-GlobeImposter-ransomware-from-password-protected-Word-doc-malspam.pcap (647,693 bytes)
- Malware: 2018-10-26-malware-and-artifacts-from-GlobeImposter-infection.zip 362 kB (361,801 bytes)
- 2018-10-24-attached-word-document-password-1234.doc (39,936 bytes)
- 2018-10-26-GlobeImposter-artifact-tmpDAE3.tmp.bat.txt (448 bytes)
- 2018-10-26-GlobeImposter-instructions-YOU_FILES_HERE.txt (1,597 bytes)
- 2018-10-26-GlobeImposter-ransomware-qwerty2.exe (603,648 bytes)
- This malspam with password-protected Word documents that were pushing Nymaim (and before that Neutrino), is now back to pushing ransomware.
- Below are write-ups I've written on malware associated with waves of malspam from this campaign:
- 2018-09-28 - More malspam with password-protected Word docs pushing Nymaim
- 2018-09-21 - Malspam with password-protected Word docs still pushing Nymaim
- 2018-09-17 - Quick post: Malspam with password-protected Word docs pushes Nymaim
- 2018-09-06 - Malspam with password-protected Word docs pushes AZORult then Neutrino
- 2018-08-21 - More malspam with password-protected Word docs, now pushing Neutrino
- 2018-08-15 - More malspam pushing password-protected Word docs for AZORult and Hermes Ransomware
- 2018-07-27 - Malspam with password-protected Word docs pushes Hermes ransomware
- 2018-07-23 - Malspam with password-protected Word docs pushes AZORult then Hermes ransomware
- 2018-06-04 - Malspam with password-protected Word docs pushes Gandcrab ransomware
- 2018-06-04 - Malspam with password-protected Word docs pushes Sigma ransomware
- 2018-04-20 - Malspam with password-protected Word docs pushes GlobeImposter ransomware
- 2018-03-14 - Malspam with password-protected Word docs pushes Sigma ransomware
Shown above: Screenshot from an email example.
Shown above: The attached password-protected Word document.
Shown above: Traffic generated after unlocking the Word doc and enabling macros.
Shown above: No post-infection traffic for the infection, just a bunch of encyrpted personal files.
Shown above: To top it off, the decryption page wasn't working.
Shown above: Some artifacts from the infection.
Shown above: Saw a VBS file in the startup folder.
Click here to return to the main page.