Skip to content ↓ | Skip to navigation ↓

A group of digital attackers are staging a spam email campaign to target South Korean users with GandCrab v4.3 ransomware.

On 7 August, researchers at Trend Micro first came across instances of the spam campaign. The attack emails arrived under the guise of an online business violation. The messages themselves used Hangul, an alphabet system used in South Korea, to inform the recipient that they’d be receiving formal notice of this violation in the near future.

Spam campaign and ransomware
An instance of the spam campaign, with its subject translating as follows: “[Fair Trade Commission] Notice of Investigation of Violation of E-Commerce Transaction” in English. (Source: Trend Micro)

Here’s a translation of part of the email:

“’Unfair e-commerce notification’ has been filed against your head office, I will let you know that I am going to do it.”

Included in the emails analyzed by Trend Micro is a .egg compressed archive file. Upon decompression using ALZip, the .egg archive yields three files. One of them is a .exe file, while the other two are .lnk files disguised as Microsoft Word documents within which “VenusLocker” is inscribed. When paired with an analysis from FortiGuard Labs, this finding suggests that the VenusLocker threat group has targeted South Korean users with spam emails through the spring and summer of 2018.

Clicking either of the .lnk files causes a hidden file to execute. This concealed resource is GandCrab v4.3 ransomware, a threat which upon execution contacts its command and control (C&C) sever and begins encrypting files on the infected machine.

Given this latest attack campaign, it’s important that users and organizations alike take steps to protect themselves against ransomware. They can do so by keeping on top of OS patches, training themselves and their employees to not click on suspicious links or email attachments and backing up their data on a regular basis. For more ransomware prevention tips, click here.