Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-03-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The importance of ongoing dialog

Published: 2016-03-24
Last Updated: 2016-03-24 02:40:17 UTC
by Brad Duncan (Version: 1)
10 comment(s)

Introduction

I recently transitioned into a new role at Palo Alto Networks Unit 42.  Since then, I've published a couple of blog posts describing recent developments in ongoing campaigns [1, 2].  Those are examples of "ongoing dialog" for known threats.  But like most people, I get excited about new malware.  Many reporters tend to focus on new campaigns, exploits, malware, and vulnerabilities.  Any why not?  They usually make a more interesting story.  However, we should also keep track of ongoing campaigns.  It's often news-worthy to announce something is still happening.

The importance of a continuing discussion

Continuing discussion--an ongoing dialog--of security matters is important.

But even security professionals are sometimes jaded, especially by the constant waves of malicious spam (malspam) that hit our mail filters.  For example, many of us know about the continuing malspam used to distribute Locky ransomware.  It was first discovered last month [3, 4, 5].  But after you've seen Locky on a near-daily basis, and you've implemented protective measures, the threat loses its impact.

That's good.  That's also the desired outcome.  But what happens after we've done our due diligence?  What happens when the threat is no longer new, but it's still profitable for the criminals behind it?  The majority of people (those not in security) tend to forget about it.

That also assumes the average person knows about specific issues like Locky ransomware.  Locky must compete for media attention with many other threats.  Information about any specific threat can easily get lost in the constant stream of issues we read about.

For Locky, this can happen, despite near-daily reporting by some sources of Locky-related malspam [6, 7, 8].  For example, on Wednesday 2016-03-23, the ISC received the following notification through our contact page:

  

We've been getting quite a file attachments with .zip files that contain javascript files.  The email messages originate from a number of different countries and the sending IP address has only a single recipient.  (This is based on an IP search in the Google Apps mail report.)

I'm submitting these because I've never seen this pattern before and I would be interested in an evaluation by those who can un-obfuscate the js.

The tar file contains 3 examples:
AAA1136807105.js
JXC1634405726.js
QXB8619121131.js

thanks,
[redacted]

FILE UPLOAD. Original File Name: javascript-malware.tar

  

That sounds like botnet-based malspam.  But what was the payload?  I extracted one of the .js files from the archive, ran it on a Windows host in my lab, and found the following traffic:


Shown above:  Traffic after running one of the .js files on a Windows host.

The infected Windows host looked like what I've seen before with Locky.  Someone had also seen the HTTP GET request for 762trg22e2.exe associated with Locky [9].  I replied to the person who notified us.  Another ISC handler, Didier Stevens, noted the obfuscation in those .js files looks like what he'd posted in a previous diary.


Shown above:  A previous example of a Windows host infected with Locky.

Final words

This is a good example, I think, of why we should keep discussing ongoing threats.

It's always fun to investigate these notifications.  As ISC handlers, we take great satisfaction in assisting others on security-related issues.  Hopefully, today's diary raises awareness about this particular flavor of botnet-based malspam.  It's a threat seen on a daily basis, whether you realize it or not.

Have you run across Locky ransomware?  Have you found any indicators of compromise (IOCs) that haven't been posted publicly?  Are there any stories about Locky you'd like to share?  If so, please leave a comment.  Let's keep the dialog going.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-through-nuclear-ek/
[2] http://researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/
[3] http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/
[4] http://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky
[5] https://labsblog.f-secure.com/2016/02/22/locky-clearly-bad-behavior/
[6] https://techhelplist.com/component/tags/tag/275-locky
[7] http://blog.dynamoo.com/search/label/Locky
[8] https://myonlinesecurity.co.uk/tag/locky/
[9] https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransomware/

Keywords:
10 comment(s)
Diary Archives