Wednesday, 4 October 2017

Locky Ransomware Campaign Continues in October 2017

Spam Campaigns spreading the new variant of Locky Ransomware which encrypts the files with the extension "ykcol" continue steadily even in the first week of October, 2017.

Today's wave of emails are spreading JavaScript based Locky Downloaders inside 7z archive email attachments. The subject of the emails have either of the following 2 formats:

Emailing - PDFxxx
Emailing - DOCxxx

where, xxx is a 3 digit Number.

The contents of the email are simple and they just request the user to check the attachment as shown in Figure 1.


 Figure 1
As an example, let's look at a sample.

MD5 hash of the 7z archive: 0da6a56f73e1e0211802a73c3ed1249a
MD5 hash of the JavaScript file: 347cd2e1885c6be2a0faeb3d11efa437

In Figure 2, we can see the obfuscated JavaScript which is used to download the Locky Ransomware unencrypted over the Network.


Figure 2
In Figure 3, we can see the HTTP GET request corresponding to download of the Locky Ransomware.


Figure 3
After all the files are encrypted, the message (refer Figure 4) is displayed to the User with instructions for recovering the file contents.


Figure 4
As usual, the users need to visit the TOR site as shown in Figure 5.


Figure 5

This variant still continues to use the same TOR site: g46mbrrzpfszonuk.onion

Once you enter the identifier generated by Locky for your machine on the website above, it will give details for the Bitcoin Payment as shown in Figure 6.


Figure 6

Bitcoin Address: 1MkzcKCiqiz7v57GnLhnLRLodqdjX5hKic

If we look it up on blockchain.info, then we can see that at present, no payments have been sent to them.

https://blockchain.info/address/1MkzcKCiqiz7v57GnLhnLRLodqdjX5hKic

Below is a list of MD5 hashes of the 7z files sent in this campaign:

fb3e270d9fa7677448e08ed50cb56bca
6ce87746c097962890690e057a189bf0
2a4a26276ded5d3f5923da5e6cfb353b
9de91a3650eb0024658d693bf7a2bc10
08a551258dfdb758b760df267aedd79c
9c59dc8e294e71214af43df04320380c
ddea45670eeff9e0cb6aad8efe8e0004
b081307767f70cce329e0d3e4b183dd9
95499c3e0b072968ef62a0349ac4d808
bae06a1eb7a213c9d7443c893a63911c
1f19233c687016e7249e8ff17f4a15a9
a1cec683efc25cd8f937b2677ee895a9
ecd6661fcba5c67be4e6dcac3158e610
36e485a5acd1c19e1cd0cbcd9df58f91
45ddec7afe7e6553851afc7615a4a5de
c6df244dfeb4e1f7706fddfc07d381ca
23a069ef86921bc51b06f7974603cdbe
2f575a84d99be7eec8255fa485ecd2cb
7265db4cbc1865f050622929e04dd08a
a81a4f98bc621387fe1bfd731dabd4ed
281afd431fb404f823d8c255106dcb46
6803873073927887b76df02a9eef8ccd
8c3fe4064c161ea34f1ee4399601cc50
608fe929c980ce44b708bc81b821b56f
1b7ba1c5e7915a83a24ea75c1c29ee21

Network Callbacks from where the Locky Ransomware is fetched by the first stage JavaScript based downloader:

atez.vn/uyitfu65uy??mazBnu=mazBnu
yoma888.com/uyitfu65uy??SjWmEqnTNj=SjWmEqnTNj
dbatee.gr/uyitfu65uy??KqWSwv=KqWSwv


No comments:

Post a Comment