Threat researchers claim that the developers of a ransomware strain named AstraLocker just published its second major version and that its operators conduct quick attacks that throw its payload directly from email attachments. This method is particularly unique because all the intermediary stages that identify email attacks normally serve to elude detection and reduce the likelihood of triggering alarms on email security tools.
ReversingLabs, a firm that has been monitoring AstraLocker operations, claims that the attackers don't appear to be concerned with reconnaissance, the analysis of valuable files, or lateral network movement. It is carrying out a ransomware operation known as "smash and grab."
The aim of smash and grab is to maximize profit as quickly as possible. Malware developers operate under the presumption that victims or security software will rapidly discover the malware, hence it is preferable to move right along to the finish line.
Smash-and-grab strategy
An OLE object with the ransomware payload is concealed in a Microsoft Word document that is the lure utilized by the developers of AstraLocker 2.0. WordDocumentDOC.exe is the filename of the embedded program.
The user must select "Run" in the warning window that displays after opening the document in order to run the payload, thus decreasing the threat actors' chances of success.
Researchers point out that this approach is less sophisticated than the recent Follina vulnerability which requires no user involvement or even the use of macros improperly which requires some user interaction.
Encryption set up
Despite its haste to encrypt, AstraLocker still manages to do certain basic ransomware actions: It attempts to disable security software, disables any active programs that can obstruct encryption, and steers clear of virtual computers, which might suggest that it is being used by lab researchers.
The virus sets up the system for encryption using the Curve25519 method after executing an anti-analysis check to make sure it isn't executing in a virtual machine and that no debuggers are set in other ongoing processes.
Killing applications that might compromise the encryption, erasing volume shadow copies that would facilitate victim restoration, and disabling a number of backup and antivirus services are all part of the preparation procedure. Instead of encrypting its contents, the Recycle Bin is simply emptied.
AstraLocker origins
AstraLocker is based on Babuk's stolen source code, a dangerous but flawed ransomware strain that left the market in September 2021, according to ReversingLabs' code analysis. Furthermore, the Chaos ransomware's developers are connected to one of the Monero wallet addresses stated in the ransom text.
Supposedly, this isn't the work of a clever actor, but rather someone who is determined to launch as many devastating attacks as possible, based on the tactics that support the most recent campaign.