PhishMe security researchers warn that the Locky ransomware is relying on the same delivery infrastructure which was previously used for the Sage ransomware distribution.
Cybercriminals often share infrastructure between one another, so the fact that Locky and Sage use the same recourses is not that surprising. However, the fact also shows that the crooks behind Locky are working on securing new distribution venues after the main Locky distributor – Necurs botnet – recently went silent.
The Sage ransomware first appeared on the malware stage at the end of last year and was analyzed early this year. The first distribution email messages relied on racy or explicit narratives to fool victims into opening the malicious attachments. Later, the operators abandoned this tactic and starting using business-related themes and random numbers in the subjects to avoid spam filters.
Some of the delivery emails didn’t come with a subject at all but they did use the victim`s name in the file attachment name. This file attachment was usually a double-zipper archive that contained a malicious .js file or an Office document. Other messages posed as a rejected financial transaction, failed deposit/refund or canceled order alerts in order to trick the users into opening them.
The campaign, according to PhishMe, used a .zip file (named “document_1.zip”), containing a JavaScript application in it, which would download the Sage ransomware in the form of a Windows executable.
The payload was retrieved from the domain affections[.]top, and the malware relied on the same payment gateway’s Tor site as before, as well as the Tor2Web gateway addresses on rzunt3u2[.]com and er29sl[.]com.
Then, however, on January 26th, another phishing campaign was spotted to distribute the Locky ransomware, leveraging the same email messages and metadata. Moreover, the domain affections[.]top was used as a part of the distribution for this infection on January 30th.
“This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter Trojan.” – PhishMe states.
The connection between Kovter and Locky has been already analyzed a couple of times. Most recently, Microsoft discovered a two-step delivery technique which intended to drip Locky first, but if that failed, it switched to dropping the Kovter Trojan.
This sharing of infrastructure between Locky and Sage once again proves how cybercriminals often reuse delivery infrastructure and malware support. The overlapping distribution of these two ransomware pieces can be seen as evidence of the commodity status for such infections.
“First, the shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties. Secondly, since the qualitative tactics, techniques, and procedures used in the distribution of these ransomware varieties are nearly identical and closely resemble classic phishing narratives easily recognizable to users prepared and empowered to identify and report phishing emails.” – PhishMe states.
