Malspam Campaign Delivering Locky Being Disrupted by Vigilantes

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a follow up malspam campaign to yesterday’s widespread campaign delivering the Locky Ransomware. The attachment in this campaign is another malicious zip file containing malicious obfuscated JavaScript. Upon running the JavaScript, the Locky ransomware is downloaded and executed. However, in some instances, the payloads have been replaced with content placed seemingly by a vigilante aimed at stopping the infections.

This campaign is nearly identical to yesterday’s Locky campaign Locky campaign, so today we’ll just get right to the differences and the IOCs.

Below is a screenshot of what an example of this malspam campaign looks like, in which the from address and the to address are identical:

Below are the details in the SMTP headers that can be used for identification and blocking on your SMTP gateways: 

Received: from [197.7.89.146] ([197.7.89.146])Content-Type: multipart/mixed; boundary=”–_com.android.email_7844755908151083″
Mime-Version: 1.0
Subject: Image188947315129.pdf 

The CTIG observed two different attachments in this campaign, “Image188947315129.zip” and “Image015817007855.zip”, which each contained malicious obfuscated JavaScript – “XEG4423684542.js” (MD5: EABC24136ADBD001B760B0921AE34B3A) and “GMQ8844765523.js” (MD5: 5F166B5F7BA8B28BB3671FB03E59C41C), respectively. If run, the JavaScript would attempt to download Locky from the following locations:

hxxp://dev.fanjs[.]com/762trg22e2.exe (76.163.238[.]1)
hxxp://foodbeverageandmore[.]com/762trg22e2.exe (107.180.3[.]144)

While the second payload URI returned the expected Locky payload (MD5: ACD788E3631943E41412C7A0D657AB67), the first payload URI returned something a little more interesting: 

It appears that a vigilante hacker or security researcher has compromised some of the Locky infrastructure and has replaced the executable content being returned to victim machines simply with a phrase “STUPID LOCKY”. Since the JavaScript saves the returned content as an executable and executes it, a potential victim would simply be presented with an NTVDM error instead of having their machine communicate with the C&C servers, stopping their files from becoming encrypted: 

This activity is reminiscent of the work by a vigilante to disrupt CryptoWall and TeslaCrypt campaigns by replacing the ransomware executables with a legitimate and signed Avira installer.

The properly returned executable from the second URI sends a POST to one of the following hardcoded C&C servers until one responds:

hxxp://217.12.218[.]158/main.php
hxxp://46.8.44[.]39/main.php
hxxp://84.19.170[.]244/main.php
hxxp://
92.63.87[.]106/main.php

If none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response. The CTIG observed the following DGA domains today on March 23, 2016:

sjllohtye[.]biz (93.170.104[.]127)
njsywiywdkduqf[.]pw
pespmgllshllawl[.]pw
hgdfckemfh[.]su
iklhklchoysy[.]info
edbfweandaenucdv[.]ru
rxomuatv[.]work
aqpsebjtrlhkqc[.]pw
liyidvxt[.]org
ctfikhkllrtos[.]org
qnwssjypbkg[.]pl
xllxdsdb[.]su

The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat.

Summary of IOCs:

IP Addresses:
197.7.89[.]146
76.163.238[.]1
107.180.3[.]144
217.12.218[.]158
46.8.44[.]39
92.63.87[.]106
84.19.170[.]244
93.170.104[.]127

URIs:
hxxp://dev.fanjs[.]com/762trg22e2.exe
hxxp://foodbeverageandmore[.]com/762trg22e2.exe
hxxp://217.12.218[.]158/main.php
hxxp://46.8.44[.]39/main.php
hxxp://84.19.170[.]244/main.php
hxxp://
92.63.87[.]106/main.php

DGA Domains:
sjllohtye[.]biz
njsywiywdkduqf[.]pw
pespmgllshllawl[.]pw
hgdfckemfh[.]su
iklhklchoysy[.]info
edbfweandaenucdv[.]ru
rxomuatv[.]work
aqpsebjtrlhkqc[.]pw
liyidvxt[.]org
ctfikhkllrtos[.]org
qnwssjypbkg[.]pl
xllxdsdb[.]su

Malware MD5s:
EABC24136ADBD001B760B0921AE34B3A
5F166B5F7BA8B28BB3671FB03E59C41C
ACD788E3631943E41412C7A0D657AB67

Filenames:
Image188947315129.zip
Image015817007855.zip
XEG4423684542.js
GMQ8844765523.js
762trg22e2.exe
gBriuuN.exe
uXQgVHBL.exe