The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime gangs suffer a new blow: GandCrab member arrested
Cybercrime gangs suffer a new blow: GandCrab member arrested in South Korea
Cybercrime gangs suffer a new blow. According to The Record, a suspected GandCrab ransomware member was arrested in South Korea for using phishing emails to infect victims. The suspect, whose name was not released, operated as a customer of the malware Ransomware-as-a-Service (RaaS) operation. Police say the suspect operated by taking copies of the GandCrab ransomware and distributing them via email to victims across South Korea. Between February and June 2019, the suspect sent nearly 6,500 emails to South Koreans. The emails mimicked official communications from local police stations, the Constitutional Court, and the Bank of Korea. The suspect’s attacks stopped in June 2019 after the malware group announced the retirement and moved on to create and run the REvil (Sodinokibi) RaaS instead, which focused on infecting companies rather than regular users.
The suspect was tracked via the via cryptocurrency transactions. It’s the third international operation against ransomware/malware groups. Before, the Emotet botnet and NetWalker groups has been disrupted
The GandCrab operator arrest was the result of an international investigation led by Interpol. Law enforcement agencies from ten countries are involved in the investigation. Authorities also said they tracked the suspect based on cryptocurrency transactions associated with the ransomware operation, which led them to the suspect’s bank account, despite him using a cloak of servers and IP addresses to hide his real location. He is the second member or affiliate of the cybercrime gang caught by police, after the retirement on the malware. A 31-year-old suspect, in fact, was previously arrested in Belarus in August 2020. Moreover, the new operation follows the ones that recently led to disrupt the Emotet botnet and the NetWalker ransomware group.