Threat Research

Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer) – ASEC BLOG

Securonix

ASEC reports continued distribution of malware disguised as copyright violation warnings and resumes to deliver ransomware (Beast) and the Vidar Infostealer. The campaign uses external links in phishing emails, double compression with ALZ files to evade detection, and dual executables with misleading icons delivered via resume/copyright-themed messages. #BeastRansomware #VidarInfostealer #MonsterRansomware #LockBit #MakopRansomware

Keypoints

  • Malware is distributed using copyright violation warnings and resume-themed emails to spread ransomware and the Vidar Infostealer.
  • Delivery now relies on external links in emails to initiate downloads, rather than password-protected attachments.
  • Final payload often consists of two executables with misleading icons (HWP/Excel) — Vidar Infostealer and Beast ransomware.
  • Double compression (ALZ inside ZIP) is used to bypass anti-malware detection.
  • Beast ransomware shows two variants: one encrypts and compresses with a “.BEAST.zip” extension, the other appends “.BEAST”; one variant may fail to compress.
  • Beast scans SMB ports to identify lateral movement opportunities, including connecting to shared folders on the network.
  • Vidar Infostealer connects to a C2 server (via public platforms like Telegram/Steam Community) and downloads DLLs to exfiltrate data, including cookies, Autofill data, and credit card numbers.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – External links in the email are used to induce downloads. ‘the method has been changed to include external links in the email to induce downloads.’
  • [T1027] Obfuscated/Compressed Files and Information – The atob Base64 decoding step and nested ALZ compression are used to bypass detection. ‘the atob function is used to decode the Base64 encoded string data, which is then saved to the user’s PC as a compressed file’ and ‘an additional ALZ compressed file exists inside. This is interpreted as an attempt to bypass detection by anti-malware products based on compression option settings.’
  • [T1036] Masquerading – Two executables with HWP/Excel icons are shown to mislead users. ‘two executable files with HWP/Excel icons can be seen.’
  • [T1071.001] Web Protocols – Vidar communicates with its C2 server over public platforms like Telegram and Steam Community. ‘Vidar utilizes public platforms such as Telegram and Steam Community for communication with its C2 server.’
  • [T1105] Ingress Tool Transfer – The sample downloads various DLL files from its C2 to extend capabilities. ‘downloads various DLL files to collect user information.’
  • [T1005] Data from Local System – Vidar can collect cookies, Autofill data, credit card numbers, and files on the PC. ‘can target various information such as cookies, AutoFill data, credit card numbers, and even files present on the user’s PC.’
  • [T1046] Network Service Scanning – Beast ransomware scans for active SMB ports as part of propagation. ‘scans for active SMB ports, indicating an intention to search for connectable shared folders on infected systems for the purpose of propagating through lateral movement.’
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement via shared folders using SMB. ‘search for connectable shared folders on infected systems for the purpose of propagating through lateral movement.’

Indicators of Compromise

  • [Hash] – 78cee04912b214f3436e3fed0c8a120f, bbda482f1ecce55c24e1a444c03da58e
  • [File Name] – Copyright violation summary_240423 and take action1.exe, Copyright violation summary_240423 and take action.exe

Read more: https://asec.ahnlab.com/en/65364/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint