Wednesday, 11 October 2017

Locky based Downloader adds a Geo IP Check

In the ongoing spam campaign of Locky, there is a small upgrade made by attackers in the delivery mechanism. The VBScript based downloaders have added a Geo IP check. Based on the geographical region in which the user is located, it either downloads Locky or Trickbot.

Below are some technical details:

MD5 hash: 6e2692c124a69566838cde01b7669532

In Figure 1, we can see the Geo IP check performed.


Figure 1

It connects to either of the following sites to fetch information in JSON format about the geographical location of the user:

http://freegeoip.net/json/
http://www.geoplugin.net/json.gp
https://ipinfo.io/json

Once it obtains this information, it checks whether the country code matches any of the following:

"GB", "UK", "AU", "LU", "BE", "IE"

The above country codes and their corresponding countries are:

GB - United Kingdom
UK - United Kingdom
AU - Australia
LU - Luxembourg
BE - Belgium
IE - Ireland

If the country code matches any of the above, then it will download Trickbot instead of Locky.

There is a different set of Download URLs for Locky and Trickbot as shown below:

If Ubound(Filter(need, choice)) > -1 Then
          ZimZamZum = Array("highlandfamily.org/jhbfvg7?","fetchstats.net/p66/jhbfvg7","bnphealthcare.com/jhbfvg7?")
        Else
          ZimZamZum = Array("team-bobcat.org/8y6ghhfg?","fetchstats.net/p66/8y6ghhfg","highpressurewelding.co.uk/8y6ghhfg?")
        End If

The URLs with the pattern: "jhbfvg7" correspond to Trickbot Download:

highlandfamily.org/jhbfvg7?
fetchstats.net/p66/jhbfvg7
bnphealthcare.com/jhbfvg7?

The URLs with the pattern: "8y6ghhfg" correspond to Locky Download:

team-bobcat.org/8y6ghhfg?
fetchstats.net/p66/8y6ghhfg
highpressurewelding.co.uk/8y6ghhfg?

The downloader in this case fetches the following samples based on the geographical region:

MD5 hash: dda37961870ce079defbf185eeeef905 (Locky which encrypts files with ".asasin" extension
MD5 hash: dbc0aa7e70df7e27ae9169ae0962e2cf (Trickbot)

No comments:

Post a Comment