MirCorp Ransomware Spreads via Email Campaign
Share this:
MirCop is an old ransomware strain that used to deliver absurd ransom demands onto its victims an untested decryptor available
A new phishing campaign pretending to be supply lists infects users with the MirCop ransomware that encrypts a target system in under fifteen minutes. The actors begin the attack by sending an unsolicited email to the victim, supposedly following up on a previous arrangement about an order.
The email body contains a hyperlink to a Google Drive URL, which, if clicked, downloads an MHT file (webpage archive) onto the victim’s machine. Google Drive serves to introduce legitimacy to the email and aligns very well with common day-to-day business practices.
For threat actors, simple but key choices like this can distinguish between the victim clicking the URL or sending the email to the spam folder. Those who open the file can only see a blurred image of what a supplier list is supposedly, stamped and signed for an extra touch of legitimacy.
When the MHT file iis opened, it will download a RAR archive containing a .NET malware downloader from “hXXps://a[.]pomf[.]cat/gectpe.rar”. The RAR archive contains an EXE file, which uses VBS scripts to drop and execute the MirCop payload onto the infected system.
The ransomware activates immediately and starts taking screenshots, locks file, changes the background to a horrid zombie-themed image, and offers victims instructions on what to do next.
This whole process takes less than 15 minutes from the moment the victim opens the phishing email. Once after the process, the user is only allowed to open specific web browsers to communicate with the actors and arrange the payment of the ransom.
Attackers not interested in getting into the victim’s machine stealthily or staying there for long to conduct cyber-espionage or steal files for extortion.
Files associated with the MicroCop Ransomware
%Temp%\8x8x8
%Temp%\PassW8.txt
%Temp%\Sqlite.dll
%Temp%\VCGTUY.vBS
%Temp%\wl.jpg
%Temp%\x.exe
%Temp%\y.exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicroCop.lnk
Registry entries associated with the MicroCop Ransomware
HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\AppData\Local\Temp\wl.jpg"
