Fake Invoice Malspam Campaign Delivering Locky Ransomware

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a new wave of a malspam campaign attempting to convince the user to open and pay for an attached “invoice”. The attachment is actually a .docm file, which is a macro-enabled Microsoft Word document being distributed in the same style as Dridex. Upon opening the document, the macro downloads and executes the Locky ransomware.

Locky has been covered fairly extensively by our friends at HP (http://community.hpe.com/t5/Security-Research/Feeling-Locky/ba-p/6833983) and Palo Alto Networks (http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/), so in this short blog, we’ll focus solely on our observations.

Below is a screenshot of what an example of this malspam campaign looks like:

Below are the details in the SMTP headers that can be used for identification and blocking on your SMTP gateways: 

Return-Path: <lcottle097@gmail.com>
Received: from static062038244055.dsl.hol.gr
(static062038244055.dsl.hol.gr. [62.38.244.55])
From: Laurence Cottle <lcottle097@gmail.com>
Content-Type: multipart/mixed;
Subject: Payment
Date: Thu, 18 Feb 2016 14:51:02 +0300
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)

Upon opening the attached document “unnamed document.docm”, the macro performs a GET request to the following location:

hxxp://merichome[.]com/system/logs/7647gd7b43f43.exe (94.73.150[.]180)

The returned executable is Locky (MD5: 9F622033CFE7234645C3C2D922ED5279), which then sends a POST to the C&C server at:

hxxp://46.4.239[.]76/main.php

Once the victim’s files are encrypted, the following message is displayed:

Visiting the decryption URLs show the following page asking for 0.5 BTC as a ransom payment:

The LookingGlass CTIG has sinkholed one of the Locky DGA domains via our VirusTracker (http://www.virustracker.net/) and has observed 9,745 unique infected IP addresses on February 17th with the following distribution of impacted countries:

%         Count     Country
26.69    2600      Other
14.41    1404      United States
5.81       566        Germany
4.77       465        Japan
3.77       367        France
3.31       322        India
2.89       282        United Kingdom
2.8         273        China
2.7         263        Netherlands
2.69       262        Italy
2.46       240        Spain
2.43       237        Mexico
2.14       208        South Africa
2.02       197        Canada
1.73       169        Israel
1.62       158        Belgium
1.6         156        Thailand
1.57       153        Vietnam
1.42       138        Austria
1.34       131        Colombia
1.34       131        Indonesia
1.31       128        Switzerland
1.28       125        Korea, Republic of
1.21       118        Hungary
1.2         117        Brazil
1.14       111        Czech Republic
1.12       109        United Arab Emirates
1.11       108        Turkey
1.09       106        Chile
1.01       98          Poland

The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed 46.4.239[.]76 as a Locky C&C since February 16th, 2016.

Summary of IOCs:

Sender address
:
lcottle097@gmail.com

IP Addresses:
62.38.244[.]55
94.73.150[.]180
46.4.239[.]76

URIs:
hxxp://merichome[.]com/system/logs/7647gd7b43f43.exe
hxxp://46.4.239[.]76/main.php

Malware MD5s:
9F622033CFE7234645C3C2D922ED5279

Filenames:
unnamed document.docm
eiasus.exe