AstraLocker 2.0: Infection via Word attachment

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers from ReversingLabs have tracked down a relatively unknown malware, which they have named AstraLocker. In version 2.0, the attackers have taken to loading the malicious payload directly from a Word document that is included as an attachment to a mail. This is unusual in that cyber attackers usually try to disguise the attack. Security researchers believe the group has limited cyber-attack capabilities, but gears its campaigns toward destruction.


The security researchers at ReversingLabs published their findings in this document. I came across this fact the other day via the following tweet.

AstraLocker 2.0

The new version of AstraLocker ransomware (AstraLocker 2.0) was recently discovered by ReversingLabs as part of phishing attacks. The phishing emails used Microsoft Word or Office files in the attachment as bait for the victims. The security researchers' analysis suggests that the threat actor responsible for this campaign likely took the underlying code for AstraLocker 2.0 from a leak of the Babuk ransomware in September 2021. The links between the two campaigns include shared code and campaign markers, while a Monero wallet address given for the ransom payment is linked to the Chaos ransomware gang.

According to security researchers, the "smash-and-grab" attack methodology and other characteristics indicate that the attackers behind this malware have limited skills. The goal, they say, is to cause disruption, while Babuk and other more sophisticated ransomware campaigns tend to be patient, methodical and deliberate in their approach to compromise.

AstraLocker 2.0 underscores the risk to organizations following code leaks like Babuk's, as a large number of low-skilled and highly motivated attackers use the code to launch their own attacks. Details on the analysis of the malware can be found here.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

1 Response to AstraLocker 2.0: Infection via Word attachment

Leave a Reply

Your email address will not be published.