According to researchers, a lesser-known ransomware strain called AstraLocker has recently released its second major version, and its operators conduct rapid attacks that drop its payload directly from email attachments. Research indicates that the adversaries appear not to be concerned with reconnaissance, the evaluation of valuable files, or lateral movement of the network. In contrast, they perform smash-n-grab attacks to hit with maximum force.
Method
In the case of AstraLocker 2.0, the lure used by the operators was a Microsoft Word document that contained an OLE object containing the ransomware payload. The embedded executable is named "WordDocumentDOC.exe". To execute the payload, the user must click Run in the warning dialog that appears after opening the document. In keeping with Astra's overall smash-n-grab strategy, OLE objects were selected over VBA macros, which are more commonly used to distribute malware. In addition, it uses SafeEngine Shielder v2.4 to encrypt the executable, which is an old and outdated packager that reverse-engineering program is almost impossible.