Russian-Based Ransomware Attack Using Malware Targeting U.S. Industries Underway

This week, Abnormal Security researchers have been tracking recent well-disguised attacks from a Russian criminal enterprise who are using the Emotet trojan to drop Ryuk ransomware and BazarLoader for financial gain. The FBI and DHS issued a warning of an impending attack using Ryuk earlier this week, noting that healthcare and the public sector are the intended targets. Abnormal has detected these attacks being launched to a broader array of industries and targets, and have identified similar messages, which we will detail below.

The attacks are bypassing traditional email security protections as the payloads are being placed within cloud-based Google Docs and Microsoft Word files. 

Attack #1: Impersonating Internal Department for Financial Remittance

Figure 1: Email lure impersonating external legal department

The request is from a purported external vendor about a financial remittance. However, the attacker spoofed the vendor’s legitimate domain, which failed authentication. This was done so the target would trust the content of the email and click the link. We also observed a mail rule change which forked the conversation to an impersonated domain. The sender’s IP originates from a VPN service based out of Pokrova, Russia.

Attack #2: Impersonating External Vendor About Agreement Cancellation

Figure 2: Email lure impersonating external vendor about agreement cancellation

In this example, the attacker is impersonating a vendor, and is alerting the target about an end to an agreement. The attacker wants them to click on a Google Doc for compensation details.

Payload for Attacks #1 and 2: A Malware-Infected Excel Spreadsheet Posing as a Google Doc

Figure 3: The Google Doc link attempts to automatically download an Excel spreadsheet

In both cases, the email link leads to a page that automatically downloads a Microsoft Excel attachment that, when opened, will ask the user to “Enable Macros”.

The downloaded files contain VBA code that runs once “Enable Macros/Content” is selected. The VBA code will then launch a Powershell script which downloads a payload – a malicious executable file. With this, the attacker can do whatever they choose, typically downloading other malware or performing specific commands.

Attack #3: Impersonating Internal Department About Medical Report

Figure 4: Email lure impersonating internal operations team

The email is impersonating an internal contact attempting to send a medical report to a coworker. The main email itself does not contain a lot of content but does include impersonated forwarded information below the request (not shown) to give the appearance of a legitimate thread. 

Microsoft Office Wizard Prompting to Open on Desktop

Figure 5: Microsoft prompt for intended target to open link on desktop not mobile

If the user does not complete the task, a Microsoft Office prompt again asks them to view and edit the document by clicking “Enable Editing” and “Enable Content”.

Attack #4: Impersonating HR Department for Survey

Figure 6: Email lure impersonating internal HR department

The email is impersonating an internal contact attempting to send an HR survey to a coworker. The sending domain is not an official email address and the entity is being impersonated. 

Malware-Infected Survey Form on Google Drive

Figure 7: Employee survey on Google Drive that contains malware-infected links

The survey contains links to malware. The attacker is prompting the target to open the documents on desktops, not mobile devices, in order for the attack to carry out. 

Payload for Attacks #3 and #4: Infected Microsoft Word Doc with Macros

Figure 8: Microsoft Word doc with malware

In both cases, the link goes to a Microsoft Word document that asks the target to upgrade their edition to add new features by clicking Enable Editing and Enable Content. The result is running .exe files that infect the target with malware.

Conclusion

Based on the recent volume, these attacks are becoming more widespread. In each case, the threat actors are convincing the targets to take low consequence actions in order to execute the malware attacks. In hiding the malware within links and macros inside of Google Docs and Microsoft Word, the attackers are adding a layer of obfuscation to evade traditional email security protection.