Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Glitch in malspam campaign temporarily reduces spread of GandCrab InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Glitch in malspam campaign temporarily reduces spread of GandCrab

Published: 2018-04-12
Last Updated: 2018-04-12 04:59:12 UTC
by Brad Duncan (Version: 1)
0 comment(s)


Since March 2018, I've noticed malicious spam (malspam) pushing GandCrab ransomware.  Along with other distinct characteristics in the emails headers, these waves of malspam use a spoofed mail server address of  For now, I'm calling this the "Zero-Gand" campaign, which is much easier than calling it the "Zero-Zero-Zero-Zero GandCrab malspam" campaign.  My previous documentation on Zero-Gand malspam can be found at:

This is not the only malspam campaign pushing GandCrab ransomware, but it's the one I've seen the most in recent weeks.

So far in April 2018, I've only found Zero-Gand sending Word documents with a malicious macro.  This macro retrieves a GandCrab binary to infect the victim's Windows computer.  Earlier this week on April 10th, VBS from these macros have had a "Compile Error" that stops the infection process.

Shown above:  Error seen after enabling macros on these documents.


Although I wasn't able to generate any infection traffic, I collected 25 email examples from Zero-Gand malspam on Wednesday 2018-04-11.  Each of the emails was pushing the same Word document with a SHA256 hash of 4eee04b6f8e134cb370de5752c00b772f913a4b61a5693aef25063dd1b1b7204 (same file hash, different file names).  According to VirusTotal Intelligence, this Word document was seen as early as Tuesday 2018-04-10 at 11:50 UTC.

Shown above:  The issue seen in Wednesday's wave of Zero-Gand malspam.

Shown above:  Submissions of this Word document to VirusTotal so far.

Shown above:  Info from 25 samples of Zero-Gand malspam on Wednesday 2018-04-11.

For more details on Wednesday's wave of Zero-Gand malspam, the above email samples can be found here.

Final words

The risk of infection is normally quite low for a malspam campaign distributing commodity ransomware like GandCrab.  In order to infect their computers, potential victims would have to bypass Protected View and ignore security warnings about activating macros on a Word document.  People can also easily implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Due to this compile error in the macro code, I can't say how many potential victims might have been spared from an infection since 2018-04-10.  There are no reliable statistics for end users getting infected with this stuff, and the risk of infection was already very low.

I'm sure the compile error in the Zero-Gand campaign will be resolved sooner or later.  When that happens, the normal risk of infection will return to any improperly-managed Windows hosts hit by this malspam.

Brad Duncan
brad [at]

0 comment(s)
Diary Archives