AstraLocker 2.0 uses Word to infect computers

Security Malware and Virus Antivirus AstraLocker 2.0 is a ransomware that is distributed through a Word document attached to phishing emails. Pixabay

ReversingLabs experts have spotted a new version of AstraLocker, a ransomware that appeared online in 2021 and is derived from Babuk, whose source code had been published on a forum on the dark web. The peculiarity of AstraLocker 2.0 is the method used to infect computers that indicates poor skills of cybercriminals. Malware can be detected and blocked by the various security solutions on the label, including those of Avira. AstraLocker 2.0: Smash and grab attack The aim of the authors of AstraLocker 2.0 is to immediately make a profit through phishing attacks. Ransomware is usually distributed only at the end of the chain of infection. In this case, the malware is hidden directly in the Word document attached to the email. If the user clicks on the OLE object included in the document, a window is shown to ask for the "WordDocumentDOC.exe" file, i.e. the ransomware, to run.

After checking whether the user is using a virtual machine, AstraLocker 2.0 stops all processes that may interfere with Curve25519 encryption, clears shadow copies to prevent recovery, empties the recycle bin, locates network shares, and attempts to disable antivirus. At the end of the encryption operation, a text file is created, with which the cybercriminals ask for $ 50 in Bitcoin or Monero to obtain the decryptor, but it is not specified how to make the ransom payment. The absence of an email address or Tor site may indicate an intention to carry out a destructive attack. This article contains affiliate links: purchases or orders placed through such links will allow our site to receive a commission. Source: ReversingLabs