Introduction
Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now its being implemented as a DLL [3]. I looked into Locky earlier this month and reported some data on my personal blog [4]. As common as Locky malspam is, I think this near-daily phenomenon deserves another round of investigation.
For this dairy, I reviewed 20 samples of Locky malspam found on Tuesday 2016-09-20." />
Shown above: Various senders and subject lines from Locky malspam on Tuesday, 2016-09-20.
The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File." />
Shown above:" />
ng>The malicious script files
We can examine the script files after extracting them from the zip archives attached to the emails." />
Shown above:" />
Shown above: Extracted .wsf file from one of the attachments.
ng>Chain of events
All 20 samples are designed to infect computers with Locky ransomware, but there are some differences. I saw the same chain of events with with all the .js files. But I saw a different chain of events with the .wsf files.
The biggest difference? Locky samples downloaded by the .js files generated post-infection callback traffic." />
Shown above: Chain of events from the different types of malicious script files.
Traffic
Traffic is still typical of Locky infection from malspam. In traffic generated by the .js files, I saw a single Locky download followed by post-infection callback traffic. In traffic from the .wsf files, I saw three downloads of Locky without any post-infection traffic." />
Shown above:" />
Shown above:" />
Shown above: An infected Windows host from either type of malicious script (.js or .wsf).
malicious script file download Locky as an encrypted or obfuscated binary from a web server, then it" />
Shown above:" />
Shown above: Downloaded binary and decoded Locky DLL on the local host.
ng>Indicators of compromise (IOCs)
The first batch of .js files from Locky malspam with the subject line Tracking data generated the following traffic:
Locky download:
- 95.173.164.205 port 80 - vetchsoda.org - GET /5pnqv2
- 178.212.131.10 port 80 - solenapeak.com - GET /2zg3kl
- 178.212.131.10 port 80 - solenapeak.com - GET /fs3e3a
- 178.212.131.10 port 80 - solenapeak.com - GET /ha4n2
Post-infection callback:
- 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php
By the time I checked the first two batches of .wsf files from Locky malspam, I didnt get any HTTP traffic. However, these .wsf files changed victims preferred DNS server to 167.114.34.61 and generated DNS queries for the following domains:
- 167.114.34.61 port 53 - DNS query for writewile.su (response: Server failure)
- 167.114.34.61 port 53 - DNS query for steyjixie.net (response: Server failure)
- 167.114.34.61 port 53 - DNS query for wellyzimme.com (response: Server failure)
The second batch of .js files from Locky malspam with the subject line Out of stock generated the following traffic:
Locky download:
- 5.173.164.205 port 80 - musguhefty.com - GET /6lj76w3l
- 178.212.131.10 port 80 - musguhefty.com - GET /oi3zsb
- 178.212.131.10 port 80 - nawabmyops.net - GET /bubs031
- 178.212.131.10 port 80 - vumdaze.com - GET /pknjo995
- 178.212.131.10 port 80 - vumdaze.com - GET /t98uo
- 178.212.131.10 port 80 - youthmaida.net - GET /1ly8w
- 178.212.131.10 port 80 - youthmaida.net - GET /1p6zoyym
Post-infection callback:
- 46.38.52.225 port 80 - 46.38.52.225 - POST /data/info.php
- 109.248.59.80 port 80 - 109.248.59.80 - POST /data/info.php
The last batch of .wsf files came from Locky malspam disguised as a receipt from The Music Zoo. Unlike the first two batches of .wsf files, these caused a proper Locky infection, but they didnt generate any Locky post-infection traffic. Like the earlier .wsf files, this batch changed victims preferred DNS server to 167.114.34.61 and used that for any DNS queries. Examples of traffic from these .wsf files are:
- 193.150.247.12 port 80 - awaftaxled.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
- 62.84.69.75 port 80 - uphershoji.net - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
- 193.150.247.12 port 80 - thokelieu.com - GET /JHG67g32udi?IBypSwb=miWInrqwLkn
- 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
- 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
- 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?KvbGPrwmwE=TqlgljDymXM
- 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
- 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
- 62.84.69.75 port 80 - thokelieu.com - GET /bcreubf321?GPuCciWnxG=PIMPMIBd
- 193.150.247.12 port 80 - awaftaxled.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
- 193.150.247.12 port 80 - uphershoji.net - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
- 193.150.247.12 port 80 - thokelieu.com - GET /bcreubf321?luVkLlTEgMf=IBOiJDl
The infected host
Locky caused by this malspam is the Zepto variant." />
Shown above: Encrypted files with the .zepto file extension.
Checking the decryptor page through the Tor network, youll find the standard Locky description." />
Shown above:" />
Shown above: Ransom stated as 3 bitcoins.
ng>Final words
Ransomware like Locky continues to be a well-known threat. Fortunately these waves of malspam are usually blocked for most organizations using any decent email security and spam filtering. Furthermore, properly-administered Windows hosts are not likely to be infected.
So why examine these emails?
Because some of these emails make it through, and people still get infected. All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away.
A solid strategy for any sort of ransomware is to make regular backups of any important files. Remember to test those backups, so youre certain to recover your data.
Pcap and malware for this diary are located here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
References:
[1] http://blog.dynamoo.com/search/label/Locky/
[2] https://myonlinesecurity.co.uk/tag/locky/
[3] http://www.bleepingcomputer.com/news/security/locky-zepto-ransomware-now-being-installed-from-a-dll/
[4] http://malware-traffic-analysis.net/2016/09/12/index.html