Ransomware, to this day, is one of the major threats to individual users seen on a daily basis in the form of Malspam. Recently, researcher Brad Duncan published to malware-traffic-analysis.net a report on a piece of Ransomware called Mole. Distributed by Malspam that spoofs United States Postal Service (USPS) status updates, the malware gains privilege escalation and encrypts user data.

The Campaign

The campaign includes different senders and various e-mail subjects, each crafted to look like USPS status updates. This allows the spam to get past most spam filters, and looks official enough to trick unwary users into both reading the email, and then clicking on a link.

Each email contains a link that redirects to a spoofed Microsoft Office portal page, which requests permission to install an Office plugin. Users, after downloading the zip file, extract the contents (as of April 13th this is a JavaScript (.js) file containing a file downloader called Nemucod.


Attempting to execute the .js file (in an attempt to install the plugin) presents a download error, while the download of three executable files in the background succeeds. Execution of the downloaded files by the .js file creates a privilege escalation after which the user data is encrypted and stored with the extension “.MOLE” (thus the name), It then makes contact with its C&C host and provides a public encryption key, and a file count of the encrypted files to the C&C.

The user is then notified through a .txt file dropped on the desktop (and in any directory with encrypted files) that explains the encryption happened, and details where to pay the ransom.


According to Duncan's report, the Ransomware has the ability to detect if it is being run in a VM or a sandbox, thus allowing it to evade detection and analysis efforts. The malware itself, is not particularly novel, and there is some dispute over it as it was also addressed as a new version of the CryptoMix Ransomware family.

Another point of interest with this malware, reported by Brad Duncan in the Palo Alto Networks Unit 42 blog, is the way it has changed its action and malware distribution methods in the first few days of this campaign. The campaign was first found on April 11th, behaving as described above, and on April 13th it began to distribute Kovter and Miuref as well as Mole. On April 14th, it had changed the link in the spam e-mail to direct to the fake USPS portal.

Enabling the TSCritical targets to your user policy will add protection against Miuref, Kovter, and Mole Ransomware's campaign to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account click the button to try a demo. 

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our Support team.