Seqrite Labs APT-Team recently uncovered multiple global campaigns utilizing fake PayPal lures to distribute a new ransomware variant known as Cronus. This malware is unique in its use of PowerShell, allowing it to execute directly in memory without writing any malicious content to the disk, evading traditional detection methods. The attack chain begins with a seemingly benign Word document, named paypal_charges.doc, that carries a malicious VBA macro. This macro, when executed, downloads the second-stage PowerShell loader, which uses reflective DLL loading to deploy the ransomware without ever saving files to the system’s storage.
Upon further investigation, Seqrite Labs discovered that the initial infection was triggered by a phishing email containing the malicious Word document. The embedded VBA macros were obfuscated with unnecessary code and junk comments to complicate the analysis. Once de-obfuscated, the script revealed a Base64-encoded string that prompted the download of the second-stage payload, a PowerShell loader disguised as a JPEG file. This loader was also heavily obfuscated, using multiple layers of junk code to make analysis difficult, and included embedded .NET assemblies that were loaded into memory through reflective loading.
The final payload consists of a malicious .NET assembly responsible for deploying the ransomware. After unpacking the assembly, Seqrite Labs discovered that it performs multiple actions to facilitate the ransomware’s functionality. These actions include process injection, file enumeration, and the encryption of specific file types. The ransomware uses AES encryption, with different methods applied depending on the file size. Files smaller than 512 KB are encrypted using the FULL_ENCRYPT method, while larger files are processed with the TRIPLE_ENCRYPT method, which encrypts the file in parts. The ransomware also alters the clipboard, replacing any cryptocurrency wallet addresses with the attacker’s own, aiming to steal ransom payments.
In addition to file encryption, the Cronus ransomware exhibits typical ransomware behavior, such as terminating critical system processes to prevent detection and ensure successful encryption. It also creates persistence on infected systems by adding itself to the registry, ensuring that it runs on system startup. The malware leaves a ransom note named cronus.txt, demanding payment in cryptocurrency. Seqrite Labs’ analysis revealed that the Cronus ransomware shares code similarities with other fileless malware campaigns, such as Revenge RAT and Async RAT, indicating that it is part of a larger trend in the development of sophisticated, fileless ransomware attacks. This attack highlights the growing sophistication of cybercriminals and the increasing use of fileless techniques to evade detection.
Reference: