GandCrab Ransomware Gets Distributed via Fake Shipping Notification Written in Korean

 Analysis by: Maria Katrina Udquin

We recently observed a spam email making the rounds with the subject 'SHIPPED ORDER INCORRECT.' The spammed message purports to be a shipping order notification from a known courier delivery service company and tricks the recipient to open an attachment in the email.

The email body is written in Korean and contains a RAR attachment that supposedly contains information about a parcel. The attachment has an executable file named Fedex-info_2019-05-15_02-24.dok, which is a variant of GandCrab ransomware (detected by Trend Micro as Ransom.Win32.GANDCRAB.TIOIBOCX). Once executed, the EXE file terminates a certain list of processes running in the affected system's memory, encrypts files in the system, and drops a ransom note.

To prevent system infection, we recommend users to refrain from opening unsolicited emails, especially those with attachments. Security solutions with anti-spam filtering weed out spammed messages such as this one.
  • ENGINE:8.1
  • PATTERN:4620