SANS ISC: Those never-ending waves of Locky malspam

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Introduction

Malicious spam (malspam) campaigns sending Locky ransomware are nothing new.  We see reports of it on a near daily basis [1, 2].  But last month, Locky ransomware changed.  It used to be downloaded as an executable file, but now it's being implemented as a DLL [3].  I looked into Locky earlier this month and reported some data on my personal blog [4].  As common as Locky malspam is, I think this near-daily phenomenon deserves another round of investigation.

For this dairy, I reviewed 20 samples of Locky malspam found on Tuesday 2016-09-20.  The image below shows samples of the various senders and subject lines.

The emails

Shown above:  Various senders and subject lines from Locky malspam on Tuesday, 2016-09-20.

The malspam all contained zip archives as file attachments.  Those zip archives contained either a .js file or a .wsf file.  The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file.  The .wsf file extension is used for a Windows Script File.  These .wsf files can also be run by double-clicking on them in a Windows environment.

These .js and .wsf files are designed to download Locky and run the ransomware as a DLL.

Shown above:  The attachments, extracted files, and associated Locky ransomware DLLs.

Screenshots of the emails

The malicious script files

We can examine the script files after extracting them from the zip archives attached to the emails.  The .js files and the .wsf files may use different formats and syntax, but they are both highly-obfuscated, and they are both designed to download and install the Locky ransomware.

Shown above:  Extracted .js file from one of the attachments.

Shown above:  Extracted .wsf file from one of the attachments.

Chain of events

All 20 samples are designed to infect computers with Locky ransomware, but there are some differences.  I saw the same chain of events with with all the .js files.  But I saw a different chain of events with the .wsf files.

The biggest difference?  Locky samples downloaded by the .js files generated post-infection callback traffic.  Locky samples from the .wsf files did not.

Shown above:  Chain of events from the different types of malicious script files.

Traffic

Traffic is still typical of Locky infection from malspam.  In traffic generated by the .js files, I saw a single Locky download followed by post-infection callback traffic.  In traffic from the .wsf files, I saw three downloads of Locky without any post-infection traffic.  In both cases, the Windows host still provided the typical indicators of a Locky infection.

Shown above:  An example of traffic generated by a .js file.

Shown above:  An example of traffic generated by a .wsf file.

Shown above:  An infected Windows host from either type of malicious script (.js or .wsf).

Both types of malicious script file download Locky as an encrypted or obfuscated binary from a web server, then it's decrypted on the local host.

Shown above:  The encrypted Locky binary downloaded from a web server.

Shown above:  Downloaded binary and decoded Locky DLL on the local host.

Indicators of compromise (IOCs)

The first batch of .js files from Locky malspam with the subject line "Tracking data" generated the following traffic: 

Locky download:

• 95.173.164.205 port 80 - vetchsoda.org - GET /5pnqv2
• 178.212.131.10 port 80 - solenapeak.com - GET /2zg3kl
• 178.212.131.10 port 80 - solenapeak.com - GET /fs3e3a
• 178.212.131.10 port 80 - solenapeak.com - GET /ha4n2

Post-infection callback:

• 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php

By the time I checked the first two batches of .wsf files from Locky malspam, I didn't get any HTTP traffic.  However, these .wsf files changed victim's preferred DNS server to 167.114.34.61 and generated DNS queries for the following domains:

• 167.114.34.61 port 53 - DNS query for writewile.su (response: Server failure)
• 167.114.34.61 port 53 - DNS query for steyjixie.net (response: Server failure)
• 167.114.34.61 port 53 - DNS query for wellyzimme.com (response: Server failure)

The second batch of .js files from Locky malspam with the subject line "Out of stock" generated the following traffic: 

Locky download:

• 5.173.164.205 port 80 - musguhefty.com - GET /6lj76w3l
• 178.212.131.10 port 80 - musguhefty.com - GET /oi3zsb
• 178.212.131.10 port 80 - nawabmyops.net - GET /bubs031
• 178.212.131.10 port 80 - vumdaze.com - GET /pknjo995
• 178.212.131.10 port 80 - vumdaze.com - GET /t98uo
• 178.212.131.10 port 80 - youthmaida.net - GET /1ly8w
• 178.212.131.10 port 80 - youthmaida.net - GET /1p6zoyym

Post-infection callback:

• 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php
• 109.248.59.80 port 80 - 109.248.59.80 - POST /data/info.php

The last batch of .wsf files came from Locky malspam disguised as a receipt from The Music Zoo.  Unlike the first two batches of .wsf files, these caused a proper Locky infection, but they didn't generate any Locky post-infection traffic.  Like the earlier .wsf files, this batch changed victim's preferred DNS server to 167.114.34.61 and used that for any DNS queries.  Examples of traffic from these .wsf files are:

• 193.150.247.12 port 80 - awaftaxled.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
• 62.84.69.75 port 80 - uphershoji.net - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
• 193.150.247.12 port 80 - thokelieu.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn

• 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
• 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
• 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM

• 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
• 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
• 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd

• 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
• 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
• 193.150.247.12 port 80 - thokelieu.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl

The infected host

Locky caused by this malspam is the Zepto variant.  All the encrypted files have the .zepto file extension.

Shown above:  Encrypted files with the .zepto file extension.

Checking the decryptor page through the Tor network, you'll find the standard Locky description.  The ransom payment is 3 bitcoins, which is approximately 1,800 US dollars.

Shown above:  The Locky decryptor page.

Shown above:  Ransom stated as 3 bitcoins.

Final words

Ransomware like Locky continues to be a well-known threat.  Fortunately these waves of malspam are usually blocked for most organizations using any decent email security and spam filtering.  Furthermore, properly-administered Windows hosts are not likely to be infected.

So why examine these emails?

Because some of these emails make it through, and people still get infected.  All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away.

A solid strategy for any sort of ransomware is to make regular backups of any important files.  Remember to test those backups, so you're certain to recover your data.

Pcap and malware for this diary are located here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

References:

[1] http://blog.dynamoo.com/search/label/Locky/
[2] https://myonlinesecurity.co.uk/tag/locky/
[3] http://www.bleepingcomputer.com/news/security/locky-zepto-ransomware-now-being-installed-from-a-dll/
[4] http://malware-traffic-analysis.net/2016/09/12/index.html