Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs

MITRE Techniques

• [T1566.001] Phishing – Spearphishing Attachment – AstraLocker 2.0 was distributed directly from Microsoft Word files used in phishing attacks. ‘recipients who opened the malicious Word attachment were required to make multiple, additional clicks to activate the embedded ransomware.’
• [T1204.002] User Execution – The lure requires user interaction to run the embedded executable; ‘the payload is stored in an OLE object; the lure only activates the ransomware if the user double clicks the icon in the document and consents to running an embedded executable named “WordDocumentDOC.exe:”‘
• [T1027] Obfuscated/Compressed Files and Information – The samples used an outdated packer SafeEngine Shielden v2.4.0.0 to complicate reverse engineering and injects indirect jumps to obfuscate control flow. ‘The packer checks running processes to determine if it is in an analysis environment…’
• [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks including VM detection and analysis-tool window-name checks. ‘The packer checks running processes to determine if it is in an analysis environment’ and ‘searched for … Regmonclass, the window name associated with Registry Monitor…’
• [T1562.001] Impair Defense – Stops backup/anti-malware/endpoint security tools and kills processes that could interfere with encryption. ‘Stops a list of backup and anti-malware and security services’ and ‘The AstraLocker malware also attempts to disable applications that may block- or interfere with the encryption of data.’
• [T1490] Inhibit System Recovery – Deletes Volume Shadow Copies to hinder recovery. ‘Deletes Volume Shadow Copies using the command … vssadmin.exe delete shadows /all /quiet.’
• [T1486] Data Encrypted for Impact – Encrypts files using Curve25519 after unpacking. ‘Encrypts files with the Elliptic Curve Cryptography algorithm Curve25519’