Royal Mail Lures Deliver Open Source Prince Ransomware

    Friday, October 4, 2024 In: Threat Research Print

    Date: 10/04/2024

    Severity: Critical

    Summary

    Proofpoint researchers discovered a campaign impersonating the British postal service, Royal Mail, to deliver Prince ransomware. This ransomware variant is available for free on GitHub, accompanied by a "disclaimer" stating it is intended solely for educational purposes. The campaign took place in mid-September, targeting individuals in the UK and the U.S. It was low-volume, affecting only a few organizations. Interestingly, most of the messages seemed to originate from contact forms on the targeted organizations' websites, suggesting that the actor also exploits public contact forms, rather than exclusively using direct email outreach.

    Indicators of Compromise (IOC) List

    Domains\Urls:

    proton.me 

    https://www.dropbox.com/scl/fi/mu7msnqo874aordmf8fde/DELIVERY-0762219.zip?rlkey=lvn0m26gns2vyrqq7ywmvbzui&st=1ztiqago&dl=1 

    https://www.dropbox.com/scl/fi/km75dn4jxaa43o8jhfcrj/PACKAGE-0074752.zip?rlkey=rbehnzefvtuo179mi2y9j2gic&st=i2ahwky6&dl=1 

    Hash : 

    ad1983a13a06919c9b8da04727ea3c210e9d19e0598c0811e4b8355b5a98589e 

e2a187babf980f024b94fa2cb4a93948d70c1e15bed1eccf975ab6c562754149 

226b653e57484de58148b455b714dcb551a52eda5a3a6d8210095aab96d782df

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    userdomainname like "https://www.dropbox.com/scl/fi/mu7msnqo874aordmf8fde/DELIVERY-0762219.zip?rlkey=lvn0m26gns2vyrqq7ywmvbzui&st=1ztiqago&dl=1" or url like "https://www.dropbox.com/scl/fi/mu7msnqo874aordmf8fde/DELIVERY-0762219.zip?rlkey=lvn0m26gns2vyrqq7ywmvbzui&st=1ztiqago&dl=1" or userdomainname like "https://www.dropbox.com/scl/fi/km75dn4jxaa43o8jhfcrj/PACKAGE-0074752.zip?rlkey=rbehnzefvtuo179mi2y9j2gic&st=i2ahwky6&dl=1" or url like "https://www.dropbox.com/scl/fi/km75dn4jxaa43o8jhfcrj/PACKAGE-0074752.zip?rlkey=rbehnzefvtuo179mi2y9j2gic&st=i2ahwky6&dl=1" or userdomainname like "proton.me" or url like "proton.me"

    Hash : 

    sha256hash IN ("ad1983a13a06919c9b8da04727ea3c210e9d19e0598c0811e4b8355b5a98589e","e2a187babf980f024b94fa2cb4a93948d70c1e15bed1eccf975ab6c562754149","226b653e57484de58148b455b714dcb551a52eda5a3a6d8210095aab96d782df")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/security-brief-royal-mail-lures-deliver-open-source-prince-ransomware 


    Tags

    MalwareRansomwareGovernment Services and FacilitiesRoyal MailPrince

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.