Security researchers noted a follow up malspam campaign to the yesterday’s widespread campaign which was delivering Locky Ransomware.
The attachment used in the latest campaign is another malicious zip file that contains malicious obfuscated JavaScript. After running the JavaScript, the Locky ransomware gets downloaded and executed.
Nevertheless, sometimes the payloads have been replaced with content placed seemingly by a vigilante aimed at stopping the infections. This campaign is rather similar to the latest Locky campaign, though there are some differences as well.
The details in the SMTP headers which can be used for identification and blocking on the SMTP gateways are provided bellow:
Received: from [197.7.89.146] ([197.7.89.146])Content-Type: multipart/mixed; boundary=”–_com.android.email_7844755908151083″
Mime-Version: 1.0
Subject: Image188947315129.pdf
The security experts noted two different attachments in this campaign, “Image188947315129.zip” and “Image015817007855.zip”, which each contained malicious obfuscated JavaScript – “XEG4423684542.js” (MD5: EABC24136ADBD001B760B0921AE34B3A) and “GMQ8844765523.js” (MD5: 5F166B5F7BA8B28BB3671FB03E59C41C), respectively.
When run, the JavaScript would attempt to download Locky ransomeware from the following locations:
hxxp://dev.fanjs[.]com/762trg22e2.exe (76.163.238[.]1)
hxxp://foodbeverageandmore[.]com/762trg22e2.exe (107.180.3[.]144)
Apparently, a cyber criminal or security researcher has compromised some of the Locky infrastructure and has replaced the executable content being returned to victim machines simply with a phrase “STUPID LOCKY”. Due to the fact that the JavaScript saves the returned content as an executable and executes it, a potential victim would simply be presented with an NTVDM error instead of having their machine communicate with the C&C servers, stopping their files from becoming encrypted.
The above-mentioned activity is reminiscent of the work by a vigilante to disrupt TeslaCrypt and CryptoWall campaigns by replacing the ransomware executables with a legitimate and signed Avira installer.
The properly returned executable from the second URI sends a POST to one of the following hardcoded C&C servers until one responds:
hxxp://217.12.218[.]158/main.php
hxxp://46.8.44[.]39/main.php
hxxp://84.19.170[.]244/main.php
hxxp://92.63.87[.]106/main.php
In case none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky ransomeware will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response.
The security experts uncovered the following DGA domains:
sjllohtye[.]biz (93.170.104[.]127)
njsywiywdkduqf[.]pw
pespmgllshllawl[.]pw
hgdfckemfh[.]su
iklhklchoysy[.]info
edbfweandaenucdv[.]ru
rxomuatv[.]work
aqpsebjtrlhkqc[.]pw
liyidvxt[.]org
ctfikhkllrtos[.]org
qnwssjypbkg[.]pl
xllxdsdb[.]su
The specialists recommend blocking all of the above mentioned IOCs in your environment in order to protect yourself from the threat.
Summary of IOCs (IP Addresses):
197.7.89[.]146
76.163.238[.]1
107.180.3[.]144
217.12.218[.]158
46.8.44[.]39
92.63.87[.]106
84.19.170[.]244
93.170.104[.]127
URIs:
hxxp://dev.fanjs[.]com/762trg22e2.exe
hxxp://foodbeverageandmore[.]com/762trg22e2.exe
hxxp://217.12.218[.]158/main.php
hxxp://46.8.44[.]39/main.php
hxxp://84.19.170[.]244/main.php
hxxp://92.63.87[.]106/main.php
DGA Domains:
sjllohtye[.]biz
njsywiywdkduqf[.]pw
pespmgllshllawl[.]pw
hgdfckemfh[.]su
iklhklchoysy[.]info
edbfweandaenucdv[.]ru
rxomuatv[.]work
aqpsebjtrlhkqc[.]pw
liyidvxt[.]org
ctfikhkllrtos[.]org
qnwssjypbkg[.]pl
xllxdsdb[.]su
Malware MD5s:
EABC24136ADBD001B760B0921AE34B3A
5F166B5F7BA8B28BB3671FB03E59C41C
ACD788E3631943E41412C7A0D657AB67
Filenames:
Image188947315129.zip
Image015817007855.zip
XEG4423684542.js
GMQ8844765523.js
762trg22e2.exe
gBriuuN.exe
uXQgVHBL.exe
