Would you like a touch of Walter White with your malware?
Heimdal Security is reporting on a new ransomware campaign they’ve uncovered, which, at the time of this article, is still undetected by any of the 57 security products listed on Google’s VirusTotal antivirus aggregator.
This new ransomware wave is the fourth the company has detected only in September, and even if it uses traditional ransomware delivery methods, it’s still evading detection from known cyber-security providers.
The campaign is being spread in Scandinavia using spam emails, which come with a Word document attached. This file is booby-trapped with a malicious macro that, when the document opens, executes and downloads the ransomware on the victim’s PC.
Ransomware: I am the one who knocks!
The ransomware then goes on to encrypt the user’s most important documents, by renaming files with the “.breaking_bad” file extension.
Access to the encrypted files is locked, and owners can regain their data only after they pay the ransom by sending emails to two different Gmail accounts.
While the “.breaking_bad” file extension and the two different Gmail accounts is an imaginative touch, the way the ransomware is delivered is quite trivial, being also used by many other malware campaigns, not just ransomware.
The same old Microsoft Word macro trick
On this very same day, we reported on the Dyreza banking trojan, which used a similar technique of packing malware download instructions inside Word macros.
Word macros have also been used by a Chinese hacking group to target Russian military bases just this summer. And attackers are also using them to deliver old-school Visual Basic malware inside Word documents.
The reason why this technique is so beloved by the underground virus-making community is that it allows them to create malicious files which aren’t malicious at all.
This is probably the reason why the ransomware campaign is currently undetected in VirusTotal. The Word documents look like any other Word documents, because they only contain “a few instructions to download a file from the Web” inside a macro. That file can be anything: an image, a CSS file, or a malware payload. Since the malware is not actually packed inside the Word file, the only way to protect against this type of threats is by educating users to stop opening random Word files received via the Internet from unknown people.