Proofpoint researchers have identified a new campaign delivering the Prince ransomware while impersonating the British postal carrier Royal Mail. Prince ransomware is an open-source variant available on GitHub with a “disclaimer” stating that it is only intended for educational use.
The campaign, which took place in mid-September, primarily targeted individuals in the UK and the U.S. Though the attack was low-volume, it still affected a small number of organizations. Interestingly, many of the malicious messages were not sent directly via email but were instead submitted through contact forms on the target organizations’ websites, indicating a multi-pronged approach.
One notable aspect of the Prince ransomware is its destructive nature. Once files are encrypted, there are no available decryption tools, nor is there any mechanism for data exfiltration. This suggests that the intent of the attack is purely to cause disruption, rather than extort ransom payments typical of other ransomware variants.
The phishing emails associated with this campaign used sender or reply-to addresses linked to Proton Mail, with each message using a different email address. The emails featured a PDF attachment that appeared to come from Royal Mail, a commonly impersonated brand. The PDF included a link to a ZIP file hosted on Dropbox (e.g., *PACKAGE-0074752.zip*), which initiated the download of the ransomware.
Royal Mail is frequently impersonated by malicious actors, and the company offers a list of common scams to help customers recognize fraudulent activity.
PDF containing a Dropbox URL.
The ZIP file in the Royal Mail impersonation campaign contained another password-protected ZIP file (e.g., *invoice.zip*) and a text file (e.g., *privacy notice.txt*) that included the password required to unlock the protected ZIP. Once the second ZIP was opened, it revealed a shortcut (LNK) file. When this file was executed, it triggered a series of actions to extract and run JavaScript embedded within the shortcut.
The detailed steps of the execution process are as follows:
– **Locate the Shortcut File**: The script attempted to locate the shortcut file in either the *%temp%* directory or the current working directory, assigning the path to a variable using a “for loop.”
– **Extract and Execute JavaScript**: The script used the *findstr* command to identify the JavaScript code embedded within the shortcut file. It then wrote this code to a file (for clarity, we’ll call it *JS1.js*) in the *%temp%* directory and executed it using WScript.
The technique of embedding JavaScript within a shortcut file and executing it using WScript enables attackers to evade traditional security measures, allowing for stealthy delivery of the malware payload.
In a related development, the malware developer SecDbg offers an information-stealing tool called *ThunderKitty* on GitHub, advertising a “Paid version.” This implies that SecDbg may provide a paid service to customize the malware for bypassing security defenses. Given these details, it’s reasonable to suspect that SecDbg might also offer a builder service designed to create the attack sequence from the shortcut’s execution to the deployment of ransomware.
Open-source code repositories like GitHub frequently host various malware and hacking tools. Although the creators often claim these tools are meant solely for educational use, cybercriminals frequently employ them in malicious campaigns. While ransomware threats are not usually deployed as the initial payload in email-based attacks, they are sometimes observed, particularly with variants that are freely available on platforms like GitHub or through leaked ransomware builders.
Using contact forms to deliver malicious content allows attackers to bypass the need for a direct email address, as messages can reach multiple recipients who have access to the contact form alias. This approach means that individuals who receive mail forwarded from contact forms—often to their work email—might not even be directly involved with the job function or employer linked to the message. This tactic has been seen before with other cyber groups, such as TA578, which frequently uses contact forms with complaint-themed messages to target organizations worldwide.
Regardless of whether the malicious message originates from a contact form or a direct email, the combination of a Proton Mail sender or reply-to address, along with a Royal Mail-branded lure, should immediately raise red flags. Organizations should educate their staff to recognize these techniques and report them to their internal security operations teams when detected.