Royal Mail Impersonated in Latest Prince Ransomware Phishing Scam

A phishing campaign impersonating the British postal service Royal Mail to deploy Prince ransomware is unveiled by Proofpoint researchers. The ransomware variant, notably available for free on GitHub under the pretense of being for educational use, was employed in the campaign to impact individuals predominantly in the UK and the US around mid-September 2024. Despite the purported educational purpose, the campaign has been particularly active, utilizing public contact forms on websites alongside direct email, thus broadening the attack vector. According to Proofpoint, "the actor does not exclusively target organizations via email directly, but also from public contact forms," highlighting an evolved approach in phishing tactics.

The execution of the campaign begins when a recipient is tricked into downloading a PDF impersonating Royal Mail communications, which contains a link to a Dropbox-hosted ZIP file. The ZIP archive, masquerading as a mundane document with a double extension "Invoice.pdf.lnk," conceals a shortcut that triggers malicious commands when executed. These commands leverage the "findstr" utility to locate and execute a JavaScript file hidden within the shortcut, residing in the temporary (%temp%) folder. This script initiates a series of PowerShell scripts and additional JavaScripts that are placed in the same directory to carry out the infection process seamlessly.

The infection chain further unfolds as the first PowerShell script, executed with flags "-ep bypass -nop" to bypass execution policies and prevent the loading of PowerShell profiles, respectively, sets the stage for disabling AMSI and facilitating the execution of a UAC bypass technique with Windows Connection Manager (CMSTP). This method involves using CMSTP to execute an INF file, which in turn triggers the execution of a malicious JavaScript using WScript. Proofpoint"s analysis found this JavaSciript calls the PowerShell scripts to run AMSI bypass once again and also orchestrates the deletion of the downloaded files, modifies registry settings to encode malicious commands in Base64, and establishes persistence through a scheduled task. This task, as Proofpoint details, "Used PowerShell to create a Scheduled Task that ran every 20 minutes, but only if the computer was connected to power and had been idle for 15 minutes, meaning the first run was, at the earliest, after 20 minutes," providing a delayed yet persistent execution mechanism.

The campaign"s impact appears to be primarily disruptive, given the absence of a reliable decryption or data exfiltration capability. The actors behind this campaign remain unattributed; however, the accessibility of Prince ransomware on GitHub suggests a low barrier to entry for attackers, making it difficult to pinpoint attribution.