New .DOC GlobeImposter Ransomware Variant Malspam Campaign Underway

Discussion in '0-day Release' started by silversurfer, Dec 23, 2017.

  1. silversurfer

    silversurfer Malware Tester Silver Member


    A new malspam campaign is underway that is distributing a GlobeImposter variant that appends the ..doc extension to encrypted files. This malspam is pretending to photos being sent to the recipient and will have a subject line that starts in a similar way to "Emailing: IMG_20171221_".

    These malspam emails contain7zip (.7z) archive attachments that are named after a camera photo's filename such as IMG_[date]_[number]. These 7z files contain a obfuscated .js file that when double-clicked on will cause the GlobeImposter ransomware to be downloaded from a remote site and executed.

    After the executable is downloaded, it will be executed and the GlobeImposter ransomware will begin to encrypt the computer. When encrypting files on the computer it will append the ..doc extension to encrypted file's name. For example, a file called 1.doc would be renamed to 1.doc..doc.

    MTAC Thread:
    revC0de, Der.Reisende, Trim and 2 others like this.
  2. Google Adsense

  3. revC0de

    revC0de MTAC Moderator Staff Member

    Thanks @silversurfer to add useful infos about this ransomware you've posted in the MTAC forum :)

    It seems some versions of Locky contain code recycled from GlobeImposter and it seems strange Locky has appeared and disappeared many times without problems.
    These are well tested malcodes that can create many problems, even considering the naivety of many average users not so skilled in cybersec, unfortunately.

Share This Page