The xlsb attachment downloads a powershell which recover a zip document. Inside, there is the malware (aka Java RAT or jRAT).
Cybercrime hit New Orleans with a ransomware: Ryuk
Also New Orleans has ben hit by a cybercrime ransomware, Ryuk. On 13th December, computers were offline, offices were closed and city government’s website was down as a violent cyber attack was launched in the early morning. It seems that, until today, any data has been lost or stolen. But it’s not clear how long city systems will remain offline, as official have to investigate the incident. However, crucial public safety services are still up and running. Cyber Security experts believe that this is the malware that damaged the US city, based on files uploaded to the VirusTotal scanning service. Furthermore, Colin Cowie of Red Flare Security found one of the memory dumps used in the attack, which contained numerous references to New Orleans and the malicious code.
How the cyber security experts found that behind the attack there is this malicious code
According to Bleeping Computer, memory dump found by Cowie is for the executable ‘yoletby.exe’. It contains numerous references to New Orleans including domain names and controllers, internal IP addresses, user names, file shares, and references to the Ryuk cybercrime ransomware. The malware strings included in the dump were the HERMES file marker, file names ending with the .ryk extension, and references to the created RyukReadMe.html ransom notes. After investigating the file further, it was found an interesting reference to the C:\Temp\v2.exe executable, executed on the machine. It turns out that a memory dump for this file was also uploaded to VirusTotal. Of particular interest in the v2.exe memory dump is a string that refers to the New Orleans City Hall. And, after further digging around, cyber security experts were able to find a v2.exe executable, and it was confirmed that it was Ryuk.
Also Emotet and TrickBot are involved?
Moreover, if New Orleans was hit by Ryuk, there is also a high chance that the Emotet and TrickBot infections are present on the network as well. The first one is a malware infection that is commonly spread through spam emails that contain malicious attachments. When opened and macros enabled, these attachments will install the Trojan on the victim’s computer. Then, it will use that infected computer to spam others with malicious attachments and also download further malware on the computer. One of the most common malware installed by Emotet is the TrickBot information-stealing Trojan. When executed, it will connect back to a command and control server where it will receive commands to load various modules that steal information from the computer or install even further malware. After cybercrime collected all valuable information and data from the computer, it will then open a reverse shell back to Ryuk actors.