In a concerning development within the realm of cybersecurity, job seekers have found themselves at the center of a sophisticated ransomware campaign known as “XELERA.” This malicious initiative cleverly exploits the hopes of individuals seeking employment by presenting them with counterfeit job offers from the Food Corporation of India (FCI.
At the heart of this campaign lies a series of deceptive emails that serve as the initial point of contact. These spear phishing emails are meticulously crafted to appear personalized and legitimate, enticing victims to open malicious Word documents.
Initial Infection: Malicious Word Documents
The spear phishing emails include an attachment named “FCEI-job-notification.doc,” which masquerades as a genuine job notification detailing various vacancies and eligibility criteria at FCI. However, embedded within this seemingly innocuous document is an OLE (Object Linking and Embedding) object that conceals a compressed PyInstaller executable.
Once extracted, the OLE object reveals a PE64 binary, specifically a compressed PyInstaller executable titled “jobnotification2025.exe.” This executable represents the first stage of the malware, designed with evasion techniques to bypass traditional antivirus detection.
As the infection progresses to its second stage, researchers have uncovered the use of tools such as pyinstxtractor, which reveals a complex structure of Python-compiled files. Among these key components are:
- mainscript.pyc: The core logic of the malware.
- Supporting Libraries: Including
psutil,aiohttp, andasyncio, which facilitate system monitoring and network operations.
Decompiling the main.pyc file exposes extensive utilization of libraries like notoken887 and command, suggesting a broader operational scope that extends beyond mere ransomware deployment. Notably, the malware employs a Discord bot as a Command-and-Control (C2) server, enabling it to execute remote commands on the victim’s machine.
Below is an example of the commands utilized by the Discord bot:
# Example of Discord Bot Commands
commands = {
"admin": "Run as admin",
"nomouse": "Deny mouse and keyboard input",
"checkfile": "Check for specific file",
"bsod": "Trigger Blue Screen of Death"
}This Discord bot is capable of executing a variety of malicious activities, including:
- Privilege Escalation: Ensuring the malware operates with administrative privileges.
- System Control: Locking or shutting down the system at will.
- Credential Theft: Stealing browser credentials and sensitive files.
- Visual Disruption: Altering wallpapers and creating visual disturbances.
In the final stage, the XELERA ransomware is deployed, demanding a ransom payment in Litecoin. This ransomware incorporates functions to terminate Windows Explorer unless a specific executable is active, alongside downloading an MBR corruption tool known as MEMZ.exe.
Here’s a glimpse into the ransomware functions:
# Example of Ransomware Functions
def kill_explorer():
# Terminate explorer.exe unless memz.exe is running
pass
def creatememzin_startup():
# Download MEMZ.exe for MBR corruption
passThis unfolding scenario underscores the critical importance of cybersecurity awareness and the pressing need for robust protective measures against such insidious attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
