This GoldenEye demand originally appeared in another color in Petya ransomware.
This GoldenEye demand originally appeared in another color in Petya ransomware.

A new spam campaign spreading GoldenEye ransomware has been detected in Germany, according to a report from Naked Security by Sophos.

The social engineering ploy delivers a one-two punch of ransomware, infecting recipients with not one but two demands for Bitcoin payoffs.

The email scourge targeting HR personnel arrives with two attachments, a PDF file and an Excel (XLS) document. The term "application" is in its subject line, so while the PDF file containing a résumé is innocuous, it lends credence to the supposed job application. The second page of the PDF includes a photo of the "job applicant" and the final page spurs recipients to click on the XLS file for further details.

A diligent staff member in the HR department investigating the credentials of the supposed job applicant enters dangerous waters at this point by clicking on the Excel file, which prompts them to alter Office settings – not an unusual request as Excel often prompts users with instructions to access files via Visual Basic for Applications (VBA) macros.

At that point, attackers can gain control of the target device, as well as download files from the web, save them to disk and initiate. And, the VBA delivers GoldenEye ransomware and launches it.

While not detectable at first, the malware begins encrypting data files on the hard disk and delivers its ransom demand, instructing victims on how to access the Tor browser to fetch a key to regain access to their files.

But, GoldenEye distinguishes itself by taking the process one step further: "It runs a modified version of the Petya ransomware to encrypt the Master File Table (MFT) of your hard disk as well," the Sophos report stated. The MFT is essential to the operation of the computer's hard disk. So, victims are hit twice, even if they pay for the initial decryption key. 

Petya and its tag team mate Mischa first appeared in March 2016. Petya, Mischa and GoldenEye refer to James Bond characters, and GoldenEye contains much of the same coding as the earlier iterations Petya and Mischa, leading to assumptions that they're all the creation of a coder calling himself Janus, another Bond reference, who until October 2016 ran a website for malware distribution and is bold enough to maintain a Twitter presence.

The ransom demand is hefty – 1.3 Bitcoins (around $1,000) – on each pay page, so being hit twice will cost victims close to $2,000 – and that's no assurance the decryption keys will be provided.

This new iteration is not hugely different, Paul Ducklin, senior technologist at Sophos and author of the report, told SC Media on Friday. "It's just giving suspicious users, who wouldn't open an unknown Excel file on its own, a believable reason to do just that. There's now a reason to open the XLS file that is psychologically detached from the original email. You read the email. Then you read the PDF. It's a plain, polite and unexceptionable file." 

The file gives the recipient a subtle, unthreatening invitation to interact, he says. In essence, it reads: "If you like, do take a look at the other file, where I have put all the dull and boring stuff that HR departments need. It's up to you. No pressure. And while you are thinking about it, here's a picture of me, a respectable-looking, polite young man looking for a respectable career. Have a nice day."

As far as what this new delivery method tells him about the coders, Ducklin said, "We can't read too much into it, but it does suggest that the crooks know full well that you can catch more flies with honey than with vinegar."

The message, he added, is that users need to remember that there are no everlasting rules that lets one pick out scams for sure. "Every time you claim you know what a scam looks like (e.g., "scams will contain spelling mistakes" or "scams will be in Office files"), the crooks get a hint for how to pull the wool over your eyes simply by being different."