Security Alert: Booking.Com Fake Emails Infect Computers with Sodinokibi Ransomware

[harlan4096]

Opening attachments will download and run a dangerous GandCrab strain

A new spam campaign pretending to be from Booking.com is now targeting users. The emails carry a document containing macro code. If someone clicks on the document, opens it, and allows the execution of the macro code, a loader will be spawned.

This will download and run ransomware of the Sodinokibi class.

How does the fake Booking.com email that infects you with ransomware work?

Below you can see how a Sodinokibi ransomware email looks like:

–

From: [Compromised email account]

Subject:

Booking.]com – New booking! (1571165841, Monday, 17 June 2019)

Attached:

[name of recipient].doc

–

If one clicks on the content of the document, the embedded object will decode the file “ms-word.exe”.

Once the file is run, it will spawn a shell that will run the ransomware’s loader, as you can see below:

Similar to other ransomware families, the spawned shell will start with deleting shadow in order to make the restoration of the machine more complicated:

“C:\Windows\System32\cmd.exe” /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures.

The payload is difficult to be analyzed since the loader is packed with a custom packer.

The packer is different from variant to variant. But what they all have in common is that they always use a PE overwrite technique.

Then, it will connect to the following URL, from which it will run the main component (sanitized by CSIS) http://btta[.]xyz/hoja.exe.

Continue Reading