GandCrab’s Rotten EGGs Hatch Ransomware in South Korea

The VenusLocker group appears to be back, hatching a fresh GandCrab ransomware campaign, so to speak, using the EGG niche file type. The emails with EGG attachments are meant to specifically take aim at South Korean users.

Trend Micro researchers, who first observed the offensive campaign in early August and posted about it today, noted that the attachments are being used to deliver the GandCrab v4.3 ransomware. The firm said the rash of emails uses “e-commerce violation” lures; for instance, a common subject line reads “[Fair Trade Commission] Notice of Investigation of Violation of E-Commerce Transaction” in English.

By way of background, EGG (.egg) is a compressed archive file format that would seem exotic in most places around the globe – but in South Korea it’s the default format, much akin to ZIP files in the U.S. It was developed by a South Korean company called ESTsoft in 1999, as part of its multi-format compression utility ALZip. Even now, EGG files can only be uncompressed using the ALZip tool.

“Many South Korean users might find it odd if an archived file was sent to them by a friend or colleague in an archive file format other than .EGG,” said independent security researcher Graham Cluley.

Trend Micro researcher Donald Castillo in a post Monday cited further evidence that the operators behind the spam are specifically going after South Korean users: The use of the specifically South Korean alphabet, Hangul, in the spam mails’ subject, body and filename attachment.

In the Trend Micro analysis of the campaign, the EGGs are most definitely rotten, filled with three files bent on malicious intent. There are two shortcut .lnk files that are disguised to appear as documents, and an executable that disappears once the user decompresses the EGG file. The hidden executable carries the GandCrab payload; it unpacks once a user clicks on either one of the two files that purport to be the documents.

As for attribution, “Within the .lnk files, ‘VenusLocker_korean.exe’ is inscribed, which could mean that the VenusLocker group was behind the distribution of spam mails,” said Castillo.

This would mark yet another reinvention for the group. VenusLocker has a long history of targeting South Korean users via phishing campaigns, usually distributing its own proprietary ransomware. Last December, however, it was observed changing tactics, following broader trends in the threat landscape to ditch ransomware for cryptomining. In that campaign, it went after users to implant Monero mining malware using EGG archives, plus using the same hidden file technique and types of decoy shortcut files used in this latest effort.

Switching back to ransomware now also follows global trends: Data from Trend Micro shows that GandCrab was the second-highest detected ransomware family globally from March to July 2018, despite its command-and-control servers being seized by Romanian Police and Europol in March.

The criminals behind GandCrab quickly tweaked the malware after the takedown to keep ransomware payments coming in; the group has been staying profitable and staying one-step ahead of white hats by adopting a unique, highly agile malware development approach.