The second version of the AstraLocker ransomware has recently been released, which is used by its operators in distributing the payload directly from Word files attached to phishing emails. Researchers describe this case as uncommon since the drop of the payload is quite rapid compared with usual instances in which threat actors put effort into hiding malware from detection.
Moreover, the threat operators of AstraLocker are less cautious about being tracked, are taking less effort to evaluate the victim’s servers, and do not bother moving laterally across networks. Rather, they focus more on immediately dropping the ransomware on the victim with the maximum destructive impact they could perform.
The AstraLocker 2.0 operators used an MS Word file as a lure, which hides an OLE (object linking and embedding) object carrying the ransomware.
With a filename ‘WordDocumentDOC[.]exe,’ the embedded executable is launched upon a user clicking the “Run” button in a prompt dialogue box before opening a document file. Researchers said that this part of the execution decreases the success chances for the operators, but their ‘smash-n-grab’ tactic is still their preferred approach to distribute the payload and infect victims.
Researchers are also puzzled about how the AstraLocker operators use an outdated version of a packer called SafeEngine Shielder v2.4.0.0 in packing the payload.
Nonetheless, suppose the malware has entered a victim’s machine successfully. In that case, it will perform an anti-analysis check to verify that the payload is not inside a virtual machine and that no debuggers are installed in other active processes. If the checking has been verified, the malware will prepare for system encryption using the Curve25519-based algorithm.
The ransomware operators prepare by ending processes that could disrupt the encryption process, deleting backup copies that could help the victims restore their files, and blocking all existing antivirus tools on the computer that can hinder the operation.
Security experts stated the AstraLocker ransomware had been based on the Babuk ransomware’s leaked source code. The ransomware is also linked with the Chaos ransomware strain since the researchers found a Monero wallet address in the ransom note that associates AstroLocker with the group.