Threat Intelligence Blog

Posted March 23, 2016

Widespread Malspam Campaign Delivering Locky RansomwareBy Steven Weinstein

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a widespread malspam campaign sent to victims appearing as if it had been an email to themselves with a malicious attachment. The attachment in this campaign is a malicious zip file containing malicious obfuscated JavaScript. Upon running the JavaScript, the Locky ransomware is downloaded and executed. Sinkhole data explained below shows just how quickly this campaign is impacting victims.

As we have covered in previous blogs, Locky has been well documented, so again we’ll just focus solely on our observations and the IOCs associated with this campaign.

The malicious emails contained only the attachment with no body. Below is a screenshot of what an example of this malspam campaign looks like, in which the from address and the to address are identical:

locky ransomware

Below are the details in the SMTP headers that can be used for identification and blocking on your SMTP gateways:

Received: from [103.3.213.170] ([103.3.213.170])

Content-Type: multipart/mixed; boundary=Apple-Mail-196AF981-9BA8-6875-E9C9-C4546A15582B

Content-Transfer-Encoding: 7bit

Mime-Version: 1.0 (1.0)

Subject: Document 2

X-Mailer: iPhone Mail (13B143)

Upon unzipping the attached “Document 2.zip” file, the malicious obfuscated JavaScript “YRZ5851735916.js” (MD5: D450A17F72724E558A629D5FEEFF3ECC) is unpacked. If run, the JavaScript downloads Locky from the following location:

hxxp://angleeseng[.]com[.]sg/system/logs/98h7b66gb.exe (103.9.103[.]191)

The returned executable is Locky (MD5: 9F622033CFE7234645C3C2D922ED5279), which then sends a POST to one of the following hardcoded C&C servers until one responds:

hxxp://92.63.87[.]106/main.php 

hxxp://84.19.170[.]244/main.php

hxxp://195.64.154[.]126/main.php

If none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response. The CTIG observed the following DGA domains on March 22, 2016:

txscftg[.]org

tmmkjuy[.]biz

kokinkmnjclb[.]pl

gfjyfmpujgrmwnsge[.]click (5.39.76[.]12)

uoyhjglovheagq[.]click

apahmkwd[.]biz

tkkykeqa[.]ru

bwefjxmug[.]xyz

dctalnpaqouul[.]pl

iwwrrkudr[.]pw

rhesnxtgafwsxlj[.]work

qbhaqxgt[.]xyz

The LookingGlass CTIG has sinkholed one of the domains via our VirusTracker and has observed 837unique infected IP addresses in only one hour with the following distribution of impacted countries:

locky ransomware

%             Count   Country

18.04     151         Other

10.04     84            United States

8.12        68            Argentina

7.41        62            Czech Republic

6.81        57            Poland

5.14        43            Spain

4.78        40            Turkey

4.54        38            Italy

3.46        29            Netherlands

3.11        26            Germany

2.99        25            France

2.63        22            Israel

2.63        22            Japan

2.51        21            Bulgaria

2.51        21            Croatia

2.39        20            Canada

2.39        20            United Kingdom

2.27        19            Chile

2.15        18            Mexico

1.67        14            Brazil

1.55        13            Romania

1.55        13            Serbia

1.31        11            Philippines

The CTIG recommends blocking all of the above-mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed 103.9.103.191 as distributing executables since February 15, 2016, as well as the three hardcoded C&C IP addresses since yesterday morning.

It is also interesting to note that the IP address responsible for sending the emails (103.3.213[.]170) was observed by LookingGlass ScoutVision to be a part of the spam sending Kelihos botnet as early as March 12, 2016, which could easily explain the widespread nature of this campaign.

Summary of IOCs:

IP Addresses:

  • 103.3.213[.]170
  • 103.9.103[.]191
  • 92.63.87[.]106
  • 84.19.170[.]244
  • 195.64.154[.]126
  • 5.39.76[.]12

URIs:

  • hxxp://angleeseng[.]com[.]sg/system/logs/98h7b66gb.exe
  • hxxp://92.63.87[.]106/main.php
  • hxxp://84.19.170[.]244/main.php
  • hxxp://195.64.154[.]126/main.php 

DGA Domains:

  • txscftg[.]org
  • tmmkjuy[.]biz
  • kokinkmnjclb[.]pl
  • gfjyfmpujgrmwnsge[.]click
  • uoyhjglovheagq[.]click
  • apahmkwd[.]biz
  • tkkykeqa[.]ru
  • bwefjxmug[.]xyz
  • dctalnpaqouul[.]pl
  • iwwrrkudr[.]pw
  • rhesnxtgafwsxlj[.]work
  • qbhaqxgt[.]xyz

Malware MD5s:

  • D450A17F72724E558A629D5FEEFF3ECC
  • 196893382E49B4D51D1EC82E3FA4A9C0

Filenames:

  • Document 2.zip
  • YRZ5851735916.js
  • 98h7b66gb.exe
  • yROdkAds.exe

Additionally, today CTIG observed a follow up malspam campaign to yesterday’s widespread campaign delivering the Locky Ransomware. The attachment in this campaign is another malicious zip file containing malicious obfuscated JavaScript. Upon running the JavaScript, the Locky ransomware is downloaded and executed. However, in some instances, the payloads have been replaced with content placed seemingly by a vigilante aimed at stopping the infections.

This campaign is nearly identical to yesterday’s Locky campaign, so today we’ll just get right to the differences and the IOCs.

Below is a screenshot of what an example of this malspam campaign looks like, in which the from address and the to address are identical:

locky ransomware

Below are the details in the SMTP headers that can be used for identification and blocking on your SMTP gateways:

Received: from [197.7.89.146] ([197.7.89.146])

Content-Type: multipart/mixed; boundary=”–_com.android.email_7844755908151083″

Mime-Version: 1.0

Subject: Image188947315129.pdf

The CTIG observed two different attachments in this campaign, “Image188947315129.zip” and “Image015817007855.zip”, which each contained malicious obfuscated JavaScript – “XEG4423684542.js” (MD5: EABC24136ADBD001B760B0921AE34B3A) and “GMQ8844765523.js” (MD5: 5F166B5F7BA8B28BB3671FB03E59C41C), respectively. If run, the JavaScript would attempt to download Locky from the following locations:

hxxp://dev.fanjs[.]com/762trg22e2.exe (76.163.238[.]1)

hxxp://foodbeverageandmore[.]com/762trg22e2.exe (107.180.3[.]144)

While the second payload URI returned the expected Locky payload (MD5: ACD788E3631943E41412C7A0D657AB67), the first payload URI returned something a little more interesting:

locky ransomware

It appears that a vigilante hacker or security researcher has compromised some of the Locky infrastructure and has replaced the executable content being returned to victim machines simply with a phrase “STUPID LOCKY”. Since the JavaScript saves the returned content as an executable and executes it, a potential victim would simply be presented with an NTVDM error instead of having their machine communicate with the C&C servers, stopping their files from becoming encrypted:

locky ransomware

This activity is reminiscent of the work by a vigilante to disrupt CryptoWall and TeslaCrypt campaigns by replacing the ransomware executables with a legitimate and signed Avira installer.

The properly returned executable from the second URI sends a POST to one of the following hardcoded C&C servers until one responds:

hxxp://217.12.218[.]158/main.phphxxp://46.8.44[.]39/main.php

hxxp://84.19.170[.]244/main.php

hxxp://92.63.87[.]106/main.php

If none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response. The CTIG observed the following DGA domains today on March 23, 2016:

sjllohtye[.]biz (93.170.104[.]127)

njsywiywdkduqf[.]pw

pespmgllshllawl[.]pw

hgdfckemfh[.]su

iklhklchoysy[.]info

edbfweandaenucdv[.]ru

rxomuatv[.]work

aqpsebjtrlhkqc[.]pw

liyidvxt[.]org

ctfikhkllrtos[.]org

qnwssjypbkg[.]pl

xllxdsdb[.]su

The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat.

Summary of IOCs:

IP Addresses:

  • 197.7.89[.]146
  • 76.163.238[.]1
  • 107.180.3[.]144
  • 217.12.218[.]158
  • 46.8.44[.]39
  • 92.63.87[.]106
  • 84.19.170[.]244
  • 93.170.104[.]127

URIs:

  • hxxp://dev.fanjs[.]com/762trg22e2.exe
  • hxxp://foodbeverageandmore[.]com/762trg22e2.exe
  • hxxp://217.12.218[.]158/main.phphxxp://46.8.44[.]39/main.php
  • hxxp://84.19.170[.]244/main.php
  • hxxp://92.63.87[.]106/main.php 

DGA Domains:

  • sjllohtye[.]biz
  • njsywiywdkduqf[.]pw
  • pespmgllshllawl[.]pw
  • hgdfckemfh[.]su
  • iklhklchoysy[.]info
  • edbfweandaenucdv[.]ru
  • rxomuatv[.]work
  • aqpsebjtrlhkqc[.]pw
  • liyidvxt[.]org
  • ctfikhkllrtos[.]org
  • qnwssjypbkg[.]pl
  • xllxdsdb[.]su

Malware MD5s:

  • EABC24136ADBD001B760B0921AE34B3A
  • 5F166B5F7BA8B28BB3671FB03E59C41C
  • ACD788E3631943E41412C7A0D657AB67

Filenames:

  • Image188947315129.zip
  • Image015817007855.zip
  • XEG4423684542.js
  • GMQ8844765523.js
  • 762trg22e2.exe
  • gBriuuN.exe
  • uXQgVHBL.exe

Additional Posts

Weekly Phishing Report: March 21, 2016

Phishing Report: Top Targets Week of March 13 – March 19, 2016 In this week’s phishing report, ...

Advanced Threat Intelligence-Driven Security

Enterprise risk and security operations are seeking a tighter coupling and more automated and ...