Researchers alarm that the latest versions of the Marry Christmas ransomware, which is also going by the name of “Merry X-Mas”, are using the DiamondFox malware to collect victim`s passwords, important files, and other sensitive data. The malware is being dropped on the infected machines and after that used by crooks to steal information.
The Merry Christmas ransomware was detected by several different security experts in the first week of 2017. And, on January 4th, Bleeping Computer wrote an article about the modus operandi of the ransomware`s first variants. The first wave of the Merry Christmas infections was distributed via malicious spam emails pretending to be FTC consumer complaints.
And infections by Merry Christmas are still being detected even though the researchers thought that, because of its Christmas theme, the ransomware won`t be on the stage for long. A couple of days after the initial attack wave, the security expert Brad Duncan detected a second one in which the ransomware relied on a different ransom note. It was once again spread via spam messages only this time, the emails were posing as court attendance notices. Just like the first spam wave, these messages also provided links that downloaded a file from an online server. The file contains macro scripts which, if the user allows executes the, will download and install the newest Merry Christmas version.
According to Duncan, these attacks happened at the same time when are the Christmas holidays for Orthodox Christians who are following the Julian Calendar, such as large communities in former Soviet states and some Eastern European countries. A couple of hours after Duncan`s findings were published, the security expert MalwareHunterTeam found out that the latest Merry Christmas variants are dropping the DiamondFox malware and use it to steal victim`s personal data.
DiamondFox includes modules which crooks opt to deploy on a per-infection basis as well as components for transforming computers into DDoS bots. Moreover, it can be used for stealing credit card data from PoS systems, for hacking browser passwords, for opening Remote Desktop Connections, etc. DiamondFox is currently being sold on Dark Web malware markets like Hansa and AlphaBay.
Merry Christmas is not the first ransomware to use a second malware for its malicious purposes. In the summer of last year Kaspersky security researchers stumbled across variants of the Shade ransomware which downloaded the Teamspy RAT. The RAT was used for evaluation of the infected machine and its type so the crooks can decide whether to ask for a higher ransom sum to unlock the encrypted files.