Security News > 2022 > June > AstraLocker 2.0 infects users directly from Word attachments

AstraLocker 2.0 infects users directly from Word attachments
2022-06-30 12:12

A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.

The lure used by the operators of AstraLocker 2.0 is a Microsoft Word document that hides an OLE object with the ransomware payload. The embedded executable uses the filename "WordDocumentDOC.exe".

After an anti-analysis check to ensure that the ransomware isn't running in a virtual machine and that no debuggers are loaded in other active processes, the malware prepares the system for encryption using the Curve25519 algorithm.

According to the code analysis of ReversingLabs, AstraLocker is based on the leaked source code of Babuk, a buggy yet still dangerous ransomware strain that exited the space in September 2021.

One of the Monero wallet addresses listed in the ransom note is linked to the operators of Chaos ransomware.

This could mean that the same operators are behind both malware or that the same hackers are affiliates on both ransomware projects, which is not uncommon.


News URL

https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users-directly-from-word-attachments/