Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell
Essential information
- Published
- 07/08/2024 08:32
- Modified
- 07/08/2024 08:37
- Tags
- 2024-08-07 cronus fileless phishing powershell ransomware
- Related entities
- 8 observables, 11 techniques (mitre), 2 malware
Description
The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This loader employs reflective DLL loading to execute the fileless ransomware payload directly in memory, evading disk-based detection. The ransomware exhibits various malicious behaviors, such as enumerating and encrypting specific file types, terminating processes, establishing persistence, and manipulating clipboard data.