Below is a screenshot of what an example of this malspam campaign looks like:
Below are the details of the emails that can be used for identification and blocking at your SMTP gateways:
Senders: DuncanMary6778@forrestfieldfootballclub[.]com RiceAntony432@kis[.]lt
Subjects: Your order #08188585 Your order #19789119
Attachments: invoice_08188585_scan.zip -> invoice_copy_XFVgos.js (MD5: FC6B9BCC4DFFECCB632EC9CBA82D755B) invoice_19789119_scan.zip -> invoice_copy_lIdT8p.js (MD5: 594A6D5ECBF499573E16766179CE68CD)
URI: hxxp://miracleworld1[.]com/80.exe?1 IP Resolution: 83.69.233[.]102 Payload MD5: 3414AFA0CC6E5676287BC9751702151C
URI: hxxp://firstwetakemanhat[.]com/91.exe?1 IP Resolution: 84.200.69[.]60 IP Resolution: 193.150.0[.]78 Payload MD5: AAD51084114E03B39CFF54DE292D6D93
Communication to the below compromised servers being used as C&Cs was observed:
hxxp://athomegirl[.]com/wp-content/plugins/theme-check/misc.php? (192.185.52[.]150) hxxp://austartupchallenge[.]org/wp-content/plugins/theme-check/misc.php? (50.87.149[.]43) hxxp://awarenessandchoice[.]com/wp-content/plugins/theme-check/misc.php? (50.87.150[.]117) hxxp://awaken-now[.]com/wp-content/plugins/theme-check/misc.php? (192.185.52[.]150)
Ultimately, the victim is presented with the following ransom message and encrypts the files on the machine:
Opening one of the links in a normal web browser or opening the onion address in Tor leads the victim to the following page:
These screens are very much borrowed from CryptoWall, presumably attempting to piggyback off of its successes. As can be seen in the below screenshot, it even calls itself CryptoWall:
The attackers have continued to use a $500 ransom. The two Bitcoin addresses that were observed by the CTIG are 1PVKcRKS4oLGvHU133cZoukkRxBGnz6Qef and 1Er3Xmk18RFk13fe9HdXHdrwY39QzqTaQu.
Interestingly enough, two of the C&Cs used in this campaign is currently returning a legitimate and signed Avira AV Launcher (MD5: CDA21B84D5711462D5B1B40491422CFD) instead of the expected response:
This is the same behavior we recently observed during a CryptoWall 3.0 campaign in early November: https://lgscout.com/fake-abuse-policy-cryptowall-3-0-campaign-domain-suspension-notice/
We have concluded that this activity is indicative of anonymous security researchers or a rival actor group trying to stop the spread of the ransomware.
The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed 192.232.251[.]79 (athomegirl[.]com) as a C&C as early as December 12, 2015.
Summary of IOCs:
Sender addresses: DuncanMary6778@forrestfieldfootballclub[.]com RiceAntony432@kis[.]lt
IP Addresses: 83.69.233[.]102 84.200.69[.]60 193.150.0[.]78 192.232.251[.]79 50.87.149[.]43 50.87.150[.]117 192.185.52[.]150
URIs: hxxp://miracleworld1[.]com/80.exe?1 hxxp://firstwetakemanhat[.]com/91.exe?1 hxxp://athomegirl[.]com/wp-content/plugins/theme-check/misc.php? hxxp://austartupchallenge[.]org/wp-content/plugins/theme-check/misc.php? hxxp://awarenessandchoice[.]com/wp-content/plugins/theme-check/misc.php? hxxp://awaken-now[.]com/wp-content/plugins/theme-check/misc.php?
Malware MD5s: FC6B9BCC4DFFECCB632EC9CBA82D755B 594A6D5ECBF499573E16766179CE68CD 3414AFA0CC6E5676287BC9751702151C AAD51084114E03B39CFF54DE292D6D93
Filenames: invoice_copy_XFVgos.js invoice_copy_lIdT8p.js 80.exe 91.exe