Job seekers have become the target of a sophisticated ransomware campaign in a recent cybersecurity threat, and this campaign dubbed as “XELERA.”
This campaign uses fake job offers from the Food Corporation of India (FCI) to lure victims into opening malicious Word documents.
.webp)
These documents, once opened, initiate a complex infection chain that ultimately leads to the deployment of ransomware and other malicious activities.
Security analysts at Seqrite identified that Here the initial infection chain starts with spear phishing email, and these emails are highly targeted and personalized fraudulent emails.
Initial Infection: Malicious Word Documents
The initial infection vector is a spear phishing email containing a malicious Word document named “FCEI-job-notification.doc.”
This document appears to be a legitimate job notification, detailing vacancies and eligibility criteria for various roles at FCI. However, embedded within the document is an OLE (Object Linking and Embedding) object that contains a compressed PyInstaller executable.
.webp)
Upon extraction, the OLE object reveals a PE64 binary, which is a compressed PyInstaller executable named “jobnotification2025.exe.” This executable is the first stage of the malware, designed to evade detection by traditional antivirus software.
While in the second stage it uses the tools like pyinstxtractor, researchers have extracted the contents of the executable, revealing a complex structure of Python-compiled files. Key components include:
- mainscript.pyc: The main logic of the malware.
- Supporting Libraries: Such as
psutil,aiohttp, andasyncio, which facilitate system monitoring and network operations.
Decompiling the main.pyc file reveals extensive use of libraries like notoken887 and command, indicating a broader scope beyond just ransomware deployment. The malware utilizes a Discord bot as a Command-and-Control (C2) server to execute remote commands on the victim’s machine.
.webp)
Code Snippet, “Discord Bot Commands”:-
# Example of Discord Bot Commands
commands = {
"admin": "Run as admin",
"nomouse": "Deny mouse and keyboard input",
"checkfile": "Check for specific file",
"bsod": "Trigger Blue Screen of Death"
}The Discord bot is capable of performing a wide range of malicious activities, including:-
- Privilege Escalation: Ensures the malware runs with admin privileges.
- System Control: Locks or shuts down the system.
- Credential Theft: Steals browser credentials and files.
- Visual Disruption: Alters wallpapers and causes visual effects.
The XELERA ransomware is deployed in the final stage, demanding a ransom in Litecoin. The ransomware includes functions to terminate Windows Explorer unless a specific executable is running, and it downloads an MBR corruption tool named MEMZ.exe.
Code Snippet, “Ransomware Functions”:-
# Example of Ransomware Functions
def kill_explorer():
# Terminate explorer.exe unless memz.exe is running
pass
def create_memz_in_startup():
# Download MEMZ.exe for MBR corruption
passWhile this complete scenario shows the importance of cybersecurity awareness and the need for robust protection against such attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free