Introduction Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now it's being implemented as a DLL [3]. I looked into Locky earlier this month and reported some data on my personal blog [4]. As common as Locky malspam is, I think this near-daily phenomenon deserves another round of investigation. For this dairy, I reviewed 20 samples of Locky malspam found on Tuesday 2016-09-20. The image below shows samples of the various senders and subject lines. The emails
The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File. These .wsf files can also be run by double-clicking on them in a Windows environment. These .js and .wsf files are designed to download Locky and run the ransomware as a DLL.
Screenshots of the emails The malicious script files We can examine the script files after extracting them from the zip archives attached to the emails. The .js files and the .wsf files may use different formats and syntax, but they are both highly-obfuscated, and they are both designed to download and install the Locky ransomware.
Chain of events All 20 samples are designed to infect computers with Locky ransomware, but there are some differences. I saw the same chain of events with with all the .js files. But I saw a different chain of events with the .wsf files. The biggest difference? Locky samples downloaded by the .js files generated post-infection callback traffic. Locky samples from the .wsf files did not.
Traffic Traffic is still typical of Locky infection from malspam. In traffic generated by the .js files, I saw a single Locky download followed by post-infection callback traffic. In traffic from the .wsf files, I saw three downloads of Locky without any post-infection traffic. In both cases, the Windows host still provided the typical indicators of a Locky infection.
Both types of malicious script file download Locky as an encrypted or obfuscated binary from a web server, then it's decrypted on the local host.
Indicators of compromise (IOCs) The first batch of .js files from Locky malspam with the subject line "Tracking data" generated the following traffic: Locky download:
Post-infection callback:
By the time I checked the first two batches of .wsf files from Locky malspam, I didn't get any HTTP traffic. However, these .wsf files changed victim's preferred DNS server to 167.114.34.61 and generated DNS queries for the following domains:
The second batch of .js files from Locky malspam with the subject line "Out of stock" generated the following traffic: Locky download:
Post-infection callback:
The last batch of .wsf files came from Locky malspam disguised as a receipt from The Music Zoo. Unlike the first two batches of .wsf files, these caused a proper Locky infection, but they didn't generate any Locky post-infection traffic. Like the earlier .wsf files, this batch changed victim's preferred DNS server to 167.114.34.61 and used that for any DNS queries. Examples of traffic from these .wsf files are:
The infected host Locky caused by this malspam is the Zepto variant. All the encrypted files have the .zepto file extension.
Checking the decryptor page through the Tor network, you'll find the standard Locky description. The ransom payment is 3 bitcoins, which is approximately 1,800 US dollars.
Final words Ransomware like Locky continues to be a well-known threat. Fortunately these waves of malspam are usually blocked for most organizations using any decent email security and spam filtering. Furthermore, properly-administered Windows hosts are not likely to be infected. So why examine these emails? Because some of these emails make it through, and people still get infected. All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away. A solid strategy for any sort of ransomware is to make regular backups of any important files. Remember to test those backups, so you're certain to recover your data. Pcap and malware for this diary are located here. --- References: [1] http://blog.dynamoo.com/search/label/Locky/ |
Brad 433 Posts ISC Handler Sep 21st 2016 |
Thread locked Subscribe |
Sep 21st 2016 5 years ago |
Great write up :)
Just did a quick scan... extracted-files\B69A8P7702.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\DNNE45601.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\FNWWLV219901.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\KR9IQPP18301.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\KV5X6203.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\LXWQ2102.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\NWKG9T47501.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\QJJ233601.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\RIN912202.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\RXXRN463601.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\SMYL8004.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND extracted-files\tracking data ~4E529E85~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\tracking data ~4EF33269~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\tracking data ~B391B8~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\tracking data ~C23891C1~.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\updated order ~5F2B541~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\updated order ~A4B321A1~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\updated order ~CED9114~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\updated order ~D0461D3~ pdf.js: Sanesecurity.Malware.26343.JsHeur.UNOFFICIAL FOUND extracted-files\WY1TLGZ8402.wsf: Sanesecurity.Malware.26295.JsHeur.UNOFFICIAL FOUND Cheers, Steve Sanesecurity |
Anonymous |
Quote |
Sep 22nd 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!