Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now it's being implemented as a DLL . I looked into Locky earlier this month and reported some data on my personal blog . As common as Locky malspam is, I think this near-daily phenomenon deserves another round of investigation.
For this dairy, I reviewed 20 samples of Locky malspam found on Tuesday 2016-09-20. The image below shows samples of the various senders and subject lines.
These .js and .wsf files are designed to download Locky and run the ransomware as a DLL.
Screenshots of the emails
The malicious script files
We can examine the script files after extracting them from the zip archives attached to the emails. The .js files and the .wsf files may use different formats and syntax, but they are both highly-obfuscated, and they are both designed to download and install the Locky ransomware.
Chain of events
All 20 samples are designed to infect computers with Locky ransomware, but there are some differences. I saw the same chain of events with with all the .js files. But I saw a different chain of events with the .wsf files.
The biggest difference? Locky samples downloaded by the .js files generated post-infection callback traffic. Locky samples from the .wsf files did not.
Traffic is still typical of Locky infection from malspam. In traffic generated by the .js files, I saw a single Locky download followed by post-infection callback traffic. In traffic from the .wsf files, I saw three downloads of Locky without any post-infection traffic. In both cases, the Windows host still provided the typical indicators of a Locky infection.
Both types of malicious script file download Locky as an encrypted or obfuscated binary from a web server, then it's decrypted on the local host.
Indicators of compromise (IOCs)
The first batch of .js files from Locky malspam with the subject line "Tracking data" generated the following traffic:
By the time I checked the first two batches of .wsf files from Locky malspam, I didn't get any HTTP traffic. However, these .wsf files changed victim's preferred DNS server to 126.96.36.199 and generated DNS queries for the following domains:
The second batch of .js files from Locky malspam with the subject line "Out of stock" generated the following traffic:
The last batch of .wsf files came from Locky malspam disguised as a receipt from The Music Zoo. Unlike the first two batches of .wsf files, these caused a proper Locky infection, but they didn't generate any Locky post-infection traffic. Like the earlier .wsf files, this batch changed victim's preferred DNS server to 188.8.131.52 and used that for any DNS queries. Examples of traffic from these .wsf files are:
The infected host
Locky caused by this malspam is the Zepto variant. All the encrypted files have the .zepto file extension.
Checking the decryptor page through the Tor network, you'll find the standard Locky description. The ransom payment is 3 bitcoins, which is approximately 1,800 US dollars.
Ransomware like Locky continues to be a well-known threat. Fortunately these waves of malspam are usually blocked for most organizations using any decent email security and spam filtering. Furthermore, properly-administered Windows hosts are not likely to be infected.
So why examine these emails?
Because some of these emails make it through, and people still get infected. All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away.
A solid strategy for any sort of ransomware is to make regular backups of any important files. Remember to test those backups, so you're certain to recover your data.
Pcap and malware for this diary are located here.
Sep 21st 2016
1 year ago
Great write up :)
Just did a quick scan...
extracted-files\B69A8P7702.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\DNNE45601.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\FNWWLV219901.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\KR9IQPP18301.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\KV5X6203.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\LXWQ2102.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\NWKG9T47501.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\QJJ233601.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\RIN912202.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\RXXRN463601.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\SMYL8004.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
extracted-files\tracking data ~4E529E85~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\tracking data ~4EF33269~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\tracking data ~B391B8~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\tracking data ~C23891C1~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\updated order ~5F2B541~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\updated order ~A4B321A1~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\updated order ~CED9114~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\updated order ~D0461D3~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND
extracted-files\WY1TLGZ8402.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND
Sep 22nd 2016
1 year ago