Keypoints
- Actors used public website contact forms (and Proton Mail addresses) to deliver lures impersonating Royal Mail.
- Emails contained unique PDFs linking to Dropbox-hosted ZIP archives that nested a password-protected ZIP and a password text file.
- Execution chain used a shortcut (LNK) that embedded obfuscated JavaScript, which wrote and launched multiple PowerShell scripts.
- PowerShell scripts implemented an AMSI bypass, a CMSTP UAC bypass via an INF, and created a scheduled task for persistence.
- Registry-stored Base64 blobs were decrypted (AES + Gzip) and loaded as a .NET assembly that matched the open-source Prince Ransomware builder.
- Ransomware displayed a Windows Update splash, appended the .womp extension, and left a ransom note but lacked exfiltration and reliable decryption mechanisms.
- Artifacts include Proton Mail sender addresses, Dropbox payload URLs, multiple SHA256 hashes, and a Bitcoin wallet address for payment.
MITRE Techniques
- [T1059.001] PowerShell – Used to run scripts (PS1.ps1 and PS2.ps1) to bypass security mechanisms. (‘Used to run scripts (PS1.ps1 and PS2.ps1) to bypass security mechanisms.’)
- [T1059.006] JavaScript – Executed obfuscated JavaScript to perform malicious actions. (‘Executed obfuscated JavaScript to perform malicious actions.’)
- [T1053.005] Scheduled Task – Created a task to run every 20 minutes under specific conditions. (‘Created a task to run every 20 minutes under specific conditions.’)
- [T1027] Obfuscated Files or Information – Heavily obfuscated scripts to evade detection. (‘Heavily obfuscated scripts to evade detection.’)
- [T1071] Application Layer Protocol – Used Dropbox for command and control and file delivery. (‘Used Dropbox for command and control and file delivery.’)
- [T1486] Data Encrypted for Impact – Files were encrypted and renamed with a specific extension. (‘Files were encrypted and renamed with a specific extension.’)
Indicators of Compromise
- [Email addresses] Attacker sender/reply-to – tedra_yrigollen@proton[.]me, chitra_mcintire@proton[.]me
- [SHA256 hashes] Malicious attachments – ad1983a13a06919c9b8da04727ea3c210e9d19e0598c0811e4b8355b5a98589e, e2a187babf980f024b94fa2cb4a93948d70c1e15bed1eccf975ab6c562754149 (and 1 more hash)
- [Payload URLs] Dropbox-hosted ZIPs – hxxps://www[.]dropbox[.]com/scl/fi/mu7msnqo874aordmf8fde/DELIVERY-0762219.zip?rlkey=…, hxxps://www[.]dropbox[.]com/scl/fi/km75dn4jxaa43o8jhfcrj/PACKAGE-0074752.zip?rlkey=…
- [File names] Attachments/archives/notes – invoice.pdf, PACKAGE-0074752.zip (also: invoice.zip, privacy notice.txt, Decryption Instructions.txt)
- [Wallet address] Ransom payment – bc1qszvk94jc7tmlac6we7ktkz09p924h6ahaq4qnz
Proofpoint’s observed detonation chain begins with a contact-form-originated email containing a Royal Mail–themed PDF linking to a Dropbox ZIP. The initial ZIP held a password-protected archive and a text file with its password; the inner archive contained a shortcut (LNK) which, when opened, used a for-loop and findstr to extract embedded obfuscated JavaScript and execute it via WScript from %temp%.
The JavaScript dropped several files (PS1.ps1, PS2.ps1, PS3.ps1, JS2.js) and invoked PowerShell with -ep bypass -nop to run them. PS1 implemented an AMSI bypass via .NET reflection, PS2 performed a CMSTP/INF UAC bypass to invoke JS2.js, and JS2.js re-ran the AMSI bypass before executing PS3. PS3 cleaned dropped files, wrote three Base64 blobs to the registry, and created a scheduled task (runs every 20 minutes, only on AC power after 15 minutes idle) that ran an encoded PowerShell payload.
The scheduled task decoded registry blobs (AES decrypt using stored key/IV → Gzip decompress → Base64 decode) to load a .NET assembly (likely ConfuserEx-obfuscated) that matched the open-source Prince Ransomware builder (including the same Imgur PNG behavior). The ransomware displayed a Windows Update splash, appended “.womp” to files, and dropped a ransom note, but the chain contained no network exfiltration or reliable means to map payments to victims, making the outcome destructive rather than functional ransomware.