Widespread Malspam Campaign Delivering Locky Ransomware

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a widespread malspam campaign sent to victims appearing as if it had been an email to themselves with a malicious attachment. The attachment in this campaign is a malicious zip file containing malicious obfuscated JavaScript. Upon running the JavaScript, the Locky ransomware is downloaded and executed. Sinkhole data explained below shows just how quickly this campaign is impacting victims.

As we have covered in previous blogs already (http://deaddrop.threatpool.com/fake-invoice-malspam-campaign-delivering-locky-ransomware/), Locky has been well documented, so again we’ll just focus solely on our observations and the IOCs associated with this campaign.

The malicious emails contained only the attachment with no body. Below is a screenshot of what an example of this malspam campaign looks like, in which the from address and the to address are identical: 

Below are the details in the SMTP headers that can be used for identification and blocking on your SMTP gateways:

Received: from [103.3.213.170] ([103.3.213.170])
Content-Type: multipart/mixed; boundary=Apple-Mail-196AF981-9BA8-6875-E9C9-C4546A15582B
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Subject: Document 2
X-Mailer: iPhone Mail (13B143)

Upon unzipping the attached “Document 2.zip” file, the malicious obfuscated JavaScript “YRZ5851735916.js(MD5: D450A17F72724E558A629D5FEEFF3ECC) is unpacked. If run, the JavaScript downloads Locky from the following location:

hxxp://angleeseng[.]com[.]sg/system/logs/98h7b66gb.exe (103.9.103[.]191)

The returned executable is Locky (MD5: 9F622033CFE7234645C3C2D922ED5279), which then sends a POST to one of the following hardcoded C&C servers until one responds:

hxxp://92.63.87[.]106/main.php
hxxp://84.19.170[.]244/main.php
hxxp://195.64.154[.]126/main.php

If none of the hardcoded C&C servers provide a valid response back to the infected machine, Locky will fall back to its DGA and will attempt to make the same POST request to each DGA domain until it receives a response. The CTIG observed the following DGA domains today on March 22, 2016:

txscftg[.]org
tmmkjuy[.]biz
kokinkmnjclb[.]pl
gfjyfmpujgrmwnsge[.]click (5.39.76[.]12)
uoyhjglovheagq[.]click
apahmkwd[.]biz
tkkykeqa[.]ru
bwefjxmug[.]xyz
dctalnpaqouul[.]pl
iwwrrkudr[.]pw
rhesnxtgafwsxlj[.]work
qbhaqxgt[.]xyz

The LookingGlass CTIG has sinkholed one of the domains via our VirusTracker (http://www.virustracker.net/) and has observed 837 unique infected IP addresses in only one hour with the following distribution of impacted countries:

%   Count     Country
18.04   151   Other
10.04   84   United States
8.12   68   Argentina
7.41   62   Czech Republic
6.81   57   Poland
5.14   43   Spain
4.78   40   Turkey
4.54   38   Italy
3.46   29   Netherlands
3.11   26   Germany
2.99   25   France
2.63   22   Israel
2.63   22   Japan
2.51   21   Bulgaria
2.51   21   Croatia
2.39   20   Canada
2.39   20   United Kingdom
2.27   19   Chile
2.15   18   Mexico
1.67   14   Brazil
1.55   13   Romania
1.55   13   Serbia
1.31   11   Philippines

The CTIG recommends blocking all of the above mentioned IOCs in your environment to proactively protect yourself from this threat. LookingGlass ScoutVision has observed 103.9.103[.]191 as distributing executables since February 15th, 2016, as well as the three hardcoded C&C IP addresses since this morning, March 22, 2016.

It is also interesting to note that the IP address responsible for sending the emails (103.3.213[.]170) was observed by LookingGlass ScoutVision to be a part of the spam sending Kelihos botnet as early as March 12, 2016, which could easily explain the widespread nature of this campaign.

Summary of IOCs:

IP Addresses:

103.3.213[.]170
103.9.103[.]191
92.63.87[.]106
84.19.170[.]244
195.64.154[.]126
5.39.76[.]12

URIs:
hxxp://angleeseng[.]com[.]sg/system/logs/98h7b66gb.exe
hxxp://92.63.87[.]106/main.php
hxxp://84.19.170[.]244/main.php
hxxp://195.64.154[.]126/main.php

DGA Domains:
txscftg[.]org
tmmkjuy[.]biz
kokinkmnjclb[.]pl
gfjyfmpujgrmwnsge[.]click
uoyhjglovheagq[.]click
apahmkwd[.]biz
tkkykeqa[.]ru
bwefjxmug[.]xyz
dctalnpaqouul[.]pl
iwwrrkudr[.]pw
rhesnxtgafwsxlj[.]work
qbhaqxgt[.]xyz

Malware MD5s:
D450A17F72724E558A629D5FEEFF3ECC
196893382E49B4D51D1EC82E3FA4A9C0

Filenames:
Document 2.zip
YRZ5851735916.js
98h7b66gb.exe
yROdkAds.exe