Security experts have recently spotted another version of Locky ransomware called IKARUSdilapidated. The ransomware source is a botnet of zombie computers coordinated to launch phishing attacks which send emails pretending to be sent from a targeted recipient’s trusted business-class multifunction printer.
According to Comodo Threat Intelligence Lab, it is the second wave of IKARUSdilapidated ransomware which has been registered over the past month.
The first IKARUSdilapidated attack was noticed on August 9 and lasted for three days. It utilized spam messages containing almost no content alongside a malicious Visual Basic Script attachment.
“This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” the director of technology at Comodo, Fatih Orhan said. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”
The spam emails use a popular printer model in the subject line to make users think that the messages are legitimate. Such type of message reads, “Scanned image from M-2600N”.
MX-2600N is the model of a leading enterprise-class Sharp multifunction printer, and the messages contain malicious JavaScript attachments which when opened, the IKARUSdilapidated ransomware will be downloaded.
The latest spam campaign has been delivered for three days starting August 18, in three stages. The first two stages were the largest ones, involving the bogus scanned image attachment. While the third smaller wave was different and featured a message from a French post office with the word “FACTURE” in the subject line.
FACTURE translates to a bill or billing inquiry in French. The FACTURE messages also contained malicious JavaScript attachment compressed in a .rar archive format. When opened, the dropper malware would download the IKARUSdilapidated ransomware at once.
A botnet analysis used in the attacks shows that 54,048 IP addresses were used in the “scanned image” campaign – 27% of those were also used in the original attack that began on August 9.
The top source countries behind the “zombie computer” botnet are Vietnam, Turkey, India and Mexico. The other malware targets are European and Southern Asia-based countries with minimal targeting of Russia and USA.
