There is a new ransomware going wild in Germany called Goldeneye, which is a variant of Petya. It’s targeting German-speaking users via email by attaching an application (Bewerbung) in Excel format (xls).
Once executed, it asks for permissions to execute macro code.
If the user has enabled macros by default or decides to enable it just once for this document, it’ll extract and drop an executable file which is the actual ransomware (writes to master boot record , encrypts files, asks for ransom).
Set SP4 = CreateObject("MSScriptControl.ScriptControl") SP4.Language = "JScript" If SP4.Eval(LQ3) Then End If
It uses MSScriptControl.ScriptControl to create a COM-Object which allows the execution of JScript code (which can also be used to execute any other supported language, such as VBScript).
The JScript code (here in: LQ3) itself is nothing special: it uses base64 to decode the executable file and writes it to disk by using Scripting.FileSystemObject which is then finally executed via Wscript.Shell.
The Goldeneye malware scores 100/100 on our system: