{
  "name": "Unmasking Cronus: How Fake PayPal Documents Execute Fileless Ransomware via PowerShell",
  "slug": "unmasking-cronus-how-fake-paypal-documents-execute-fileless-ransomware-via-powershell",
  "description": "The analysis reveals a sophisticated campaign employing fake PayPal receipts as lures to distribute a new variant of the Cronus ransomware. The infection chain begins with a malicious Word document containing an obfuscated VBA macro that downloads a PowerShell loader from a remote server. This loader employs reflective DLL loading to execute the fileless ransomware payload directly in memory, evading disk-based detection. The ransomware exhibits various malicious behaviors, such as enumerating and encrypting specific file types, terminating processes, establishing persistence, and manipulating clipboard data.",
  "published": "2024-08-07T06:32:29+00:00",
  "created_at": "2024-08-07T06:32:29+00:00",
  "modified_at": "2024-08-07T06:37:11+00:00",
  "created_at_opencti": "2024-08-07T06:32:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-08-07",
    "cronus",
    "fileless",
    "phishing",
    "powershell",
    "ransomware"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://eternal.lol/file/"
      },
      {
        "id": "",
        "name": "eternal.lol"
      },
      {
        "id": "",
        "name": "dd78c6dc62463aba24cdbea3968cbcc1c7b97a736ef069d99d6512b10c5e91f3"
      },
      {
        "id": "",
        "name": "afb95b1b2092020ed98312602c300f51daca14bb3d65503df3c5ca4776027987"
      },
      {
        "id": "",
        "name": "9ebf60ad31f0eb1fa303e0b00f9cc605c5013ea30771e6b14409cb70af7416cb"
      },
      {
        "id": "",
        "name": "69b6bc4db69680118781e7a9f2580738088930fa04884755f23904fa19e638e3"
      },
      {
        "id": "",
        "name": "629587e592130b86418d17d6b8cc52b6f378f39f1b5e8caa4038cfa7120b2a53"
      },
      {
        "id": "",
        "name": "42551531be1c5abfdd24a3465788c659a038141de61976787b0862664df95aad"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:388a7e14a94803de",
        "name": "Cronus Ransomware",
        "slug": "cronus-ransomware"
      },
      {
        "id": "legacy:malware:ceaf80cfb150d635",
        "name": "Cronus",
        "slug": "cronus"
      }
    ],
    "attack_patterns": [
      {
        "id": "f09219b3-9392-4711-89e4-cacd68586903",
        "name": "T1491.001"
      },
      {
        "id": "813f0426-e5bf-4655-91e4-0fe72f9b2e73",
        "name": "T1565.002"
      },
      {
        "id": "7dc1bc79-ccad-419e-b7c0-0f7fa8522270",
        "name": "T1055.012"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      }
    ]
  },
  "external_refs": [
    "https://www.seqrite.com/blog/unmasking-cronus-how-fake-paypal-documents-deliver-fileless-ransomware-via-powershell/",
    "https://otx.alienvault.com/pulse/66b3311df1f0791c05cb53b7"
  ]
}