Threat Actor Leverages Cronus Ransomware And Lures Victims With Fake PayPal Documents

An unidentified adversary had launched a sophisticated multi-stage campaign for deploying a file-less Cronus ransomware via PowerShell to target potential victims. This group achieved initial access through a malicious lure document deployed via a phishing campaign embedded with VBA macros and subsequently drops a PowerShell loader for subsequently deploying Cronus ransomware using reflective DLL loading. Threat actor establishes persistence onto infected systems via Startup folder and aims to evade detection through various techniques such as command obfuscation reflective DLL loading Process Injection obfuscation with junk code. This ransomware is packed with .Net reactor for performing various action on objectives after establishing foothold onto compromised systems like changing wallpaper encrypting specific files and terminating processes. It enumerates clipboard contents to replace it with adversarys BTC wallet address and subsequently drops a ransom note for demanding payment for decryption keys.