Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MirCop. Show all posts

Phishing Emails Deliver Scary Zombie-themed MirCop Ransomware

 

A new phishing campaign that poses as supply lists attacks users with the MirCop ransomware, which encrypts a target PC in less than fifteen minutes. 

The perpetrators start the attack by sending an unsolicited email to the victim, claiming to be following up on a previous order arrangement. The email body includes a hyperlink to a Google Drive URL that, when clicked, downloads an MHT file (webpage archive) to the victim's device. 

The use of Google Drive lends credibility to the email and is in accordance with standard business procedures. Simple but crucial choices like this can determine whether the victim clicks the URL or sends the email to the spam folder for threat actors. When people open the file, all they see is a fuzzy image of what appears to be a supplier list, stamped and signed for added legitimacy. 

When the MHT file is opened, it will download a RAR archive from “hXXps://a[.]pomf[.]cat/gectpe.rar” containing a.NET malware downloader. The EXE file in the RAR archive uses VBS scripts to drop and run the MirCop payload on the affected machine. 

The ransomware starts capturing screenshots right away, locks files, changes the background to a terrifying zombie-themed graphic, and instructs victims on what to do next. The entire procedure, according to Cofense, takes less than 15 minutes from the time the victim opens the phishing email. 

Following that, the user is only able to use certain web browsers to contact the actors and arrange for the ransom payment. The actors have no interest in infiltrating the victim's computer discreetly or staying there for long to conduct cyber espionage or acquire files for extortion. On the contrary, the attack happens swiftly, and the source of the problem is noticeable to the victim instantly. 

About the ransomware

MicroCop is an outdated ransomware strain that is used to send its victims ridiculous ransom demands. That was until Michael Gillespie broke the encryption and released a free decryptor. 

As per BleepingComputer, it was not able to verify whether that old decryptor still works with the payloads delivered in the most recent campaign, but it's possible that it can still unlock the files.

According to Cofense, the identical variant has been circulating since June of this year, indicating that MicroCop is still active and that people should be wary when dealing with unwanted emails.