Locky emerges out of hibernation, hits 20 million mailboxes

After disappearing for months, Locky ransomware is back… and in force. The strain first made headlines in February 2016 when a US medical centre paid a US$17,000 bitcoin ransom to retrieve patient data – operators said paying the ransom was the quickest way to resume caring for patients.  

In this latest campaign, Locky is primarily being distributed via email as a word document invoice. In just one day last month, more than 20 million phishing emails suddenly appeared, flooding inboxes with the ransomware. 

Delivery: The following table shows a list of malicious domains from which the Locky ransomware has been downloaded: 

 

Figure 1 Malicious domain which downloads Locky ransomware

Security researchers have observed a number of distribution methods, the most popular of which has been an email phishing campaign:

 

Figure 2 Malicious Email Attachment

This email attachment contains a zip file in which a Visual Basic Script (VBS) file is hidden. Once clicked, the victim downloads the latest Locky ransomware. The actual contact point for downloading the latest Locky sample is greatesthits(.)mygoldmusic(.)com – a known malware site, as shown below:

 

Figure 3 VT hits for malicious domain

Further analysis on the same domain shows it is linked to at least half a dozen malware samples:

 

Figure 4 Latest Locky samples from greatesthits mygold music (malicious domain)

In addition to the malicious Word document, we have also seen a fake Dropbox account verification email used to distribute the malware. Upon clicking the link, the victim is directed to a spoofed Dropbox page. The user is told their account cannot be verified:

 

Figure 5 Fake Dropbox page

Below are the Virus Total hits for the fake Dropbox URL:

 

Figure 6 Fake Dropbox url (VT hits for malicious url)

The user is then told to download a javascript file. If the user opens this js file, their machine is locked with Locky ransomware.

 

Figure 7 Downloading file

Infection – Behavioural Analysis:

MD5: 6480fc6b8c2d76965520d5184b5190a1

File type/size: VBS file/43 KB.

 

This script drops the ransomware and associated files: C44DEDDA.exe, csrss.exe, 814C2B0A.exe, 0208oi[1].exe and rad8D858.tmp. We then executed these files in our controlled environment:

 

Figure 8 Execution of malicious files

All these files seek open ports and create new run entries:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Client Server Runtime Subsystem"
        Type: REG_SZ
        Data: "C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CSRSS"
        Type: REG_SZ
        Data: "C:\Documents and Settings\All Users\Application Data\Drivers\csrss.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "NetworkSubsystem"
        Type: REG_SZ
        Data: "C:\Documents and Settings\All Users\Application Data\Csrss\csrss.exe"
These new run entries allow Locky to keep persistence as each is copied into a separate location under the file name csrss.exe.





 Figure 9 csrss.exe created in %appdata% location

In the memory strings, we found the following router list details:

•    router_purpose_to_string

•    router_get_all_orports

•    D27178388FA75B96D37FA36E0B015227DDDBDA51

•    B59F6E99C575113650C99F1C425BA7B20A8C071D

•    A61682F34B9BB9694AC98491FE1ABBFE61923941

•    9DCD8E3F1DD1597E2AD476BBA28A1A89F3095227

•    9904B52336713A5ADCB13E4FB14DC919E0D45571

•    98CC82342DE8D298CF99D3F1A396475901E0D38E

•    87326329007AF781F587AF5B594E540B2B6C7630

•    57B85409891D3FB32137F642FDEDF8B7F8CDFDCD

•    0E7E9C07F0969D0468AD741E172A6109DC289F3C

•    09CD84F751FD6E955E0F8ADB497D5401470D697E

•    download_status_reset_by_sk_in_cl

•    routerlist.c

•    dlstatus

•    download_status_is_ready_by_sk_in_cl

•    certs_out

•    authority_cert_get_all

•    fp-sk/

A static search of the memory strings found there is already information on github (https://github.com/kaist-ina/SGX-Tor/blob/master/Enclave/TorSGX/routerlist.c) which maintains a global list of router information for known servers. 

•    $F397038ADC51336135E7B80BD99CA3844360292B~F397038ADC51336135E at 76.73.17.194

•    C:\Documents and Settings\Application Data\tor

•    C:\Documents and Settings\Application Data\tor\torrc

•    C:\Documents and Settings\Application Data\tor\torrc-defaults

•    WARN BOOTSTRAP PROGRESS=5 TAG=conn_dir SUMMARY="Connecting to directory server" WARNING="No route to host [WSAEHOSTUNREACH ]" REASON=NOROUTE COUNT=3 RECOMMENDATION=warn

•    Windows XP

•    F397038ADC51336135E7B80BD99CA3844360292B

The above global router information shows the application path and connection information for the available directory server. These can be exploited in the ransomware payload to make successful TOR connections.

 

Figure 10 after infection of Locky ransomware

After successful infection, the victim’s desktop wallpaper is changed to a Locky ransomware message. It asks the victim to open one of a dozen readme files. These can be found on the desktop and in the C: folder:

 

Figure 11 Readme files and crypted file

Below is the ransom note victims see:

 

Threat Indicators – IOC details:

Fake Dropbox URL:


hxxp://busad(.)com/dropbox.html

hxxp://autoecoledufrene(.)com/dropbox.html

hxxp://autoecoleboisdesroches(.)com/dropbox.html

hxxp://tasgetiren(.)com/dropbox.html

hxxp://potamitis(.)gr/dropbox.html

hxxp://jaysonmorrison(.)com/dropbox.html

hxxp://arthurdenniswilliams(.)com/dropbox.html

hxxp://gruporoados(.)com/dropbox.html

hxxp://patrickreeves(.)com/dropbox.html

hxxp://eifel-netz(.)de/dropbox.html

hxxp://albion-cx22(.)co.uk/dropbox.html

hxxp://jakuboweb(.)com/dropbox.html

hxxp://flooringforyou(.)co.uk/dropbox.html

hxxp://binarycousins(.)com/dropbox.html

hxxp://dar-alataa(.)com/dropbox.html

hxxp://gestionale-orbit(.)it/dropbox.html

hxxp://aegelle(.)com/dropbox.html

hxxp://griffithphoto(.)com/dropbox.html

hxxp://fachwerkhaus(.)ws/dropbox.html

hxxp://melting-potes(.)com/dropbox.html

hxxp://willemshoeck.nl/dropbox.html

hxxp://benjamindiggles(.)com/dropbox.html

hxxp://avtokhim(.)ru/dropbox.html

hxxp://autoecoleathena(.)com/dropbox.html

hxxp://bayimpex(.)be/dropbox.html

IP addresses:

176(.)56(.)58(.)114

185(.)18(.)197(.)109

173(.)192(.)66(.)137

203(.)183(.)65(.)225

194(.)173(.)175(.)16

62(.)4(.)8(.)233

67(.)19(.)68(.)83

47(.)89(.)249(.)74 

199(.)30(.)241(.)139

202(.)237(.)149(.)19

66(.)84(.)8(.)235

83(.)169(.)22(.)79

91(.)121(.)111(.)185                    

91(.)209(.)7(.)116

91(.)234(.)195(.)48

Locky download and related URL:

gbass(.)ch/tJHGskdioj                                                

garage-fiat(.)be/tJHGskdioj                                                

futurehemp(.)com/tJHGskdioj                                                

furukawa-iin(.)net/tJHGskdioj                                               

freevillemusic(.)com/tJHGskdioj

vinneydropmodorfosius(.)net/af/tJHGskdioj                                               

hightechavenue(.)com/tJHGskdioj                          

greatesthits.mygoldmusic(.)com/tJHGskdioj                                                

graficasicarpearanjuez(.)com/tJHGskdioj                                                

goldenspikerails(.)net/tJHGskdioj                                                

hecam(.)de/tJHGskdioj                                                

hdvmedia(.)nl/tJHGskdioj                                                

go-coo(.)jp/tJHGskdioj                                                

gewinnspiel-sachsenhausen(.)de/tJHGskdioj                                               

gestione.easyreplica(.)com/tJHGskdioj                                               

Pattern of php files in malicious URL:

Regex for the php file: \/w\/[0-9a-z]{4}\.php

konferencjaora[.]pl/w/523f.php

autonikos[.]pl/w/6dty.php

oxfordschoolkotputli[.]com/w/vait.php

j3[.]rodolfogn[.]com/w/qn0b.php

martinagebhardt[.]hu/w/uol4.php

Ransom note:

To decrypt the files you should send the following code: 647698A1C322BA348201|801|6|2

Email: Novikov(.)Vavila(at)gmail(.)com

Tor addresses in the ransom note:

hxxp://cryptsen7fo43rr6(.)onion/

hxxp://cryptsen7fo43rr6(.)onion.to/

hxxp://cryptsen7fo43rr6(.)onion(.)cab/

Extension: 647698A1C322BA348201.crypted000007

Conclusion: As long as Locky continues to successfully encrypt victim machines, it will continue resurfacing. We recommend users apply the IOC details as alerts, in order to block the infection methods (in this case, the malicious zip file and fake Dropbox links used to distribute Locky). 

As always, exercise caution when receiving emails with attachments from unknown users. Finally, updated anti-malware with anti-ransomware modules can help protect against ransomware attacks.

 


On 2017-09-13

Popular Posts

Privacy Statement | Terms of Use