I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns delivering GlobeImposter ransomware.
The attached .ZIP file contained a malicious VBS script being used as a downloader. Click HERE to view a Pastebin of the script.
Once the script is executed, the host will attempt to download the Locky payload from remote locations, which can be seen in the script.
A full list of download locations was posted on VirusTotal by the user coldshell:
hxxp://ag.com/78wygGHDwf
hxxp://drommtoinononcechangerrer.info/af/78wygGHDwf
hxxp://glendoradrivingandtraffic.com/78wygGHDwf
hxxp://glostrap.com/78wygGHDwf
hxxp://gotcaughtdui.com/78wygGHDwf
hxxp://graficasicarpearanjuez.com/78wygGHDwf
hxxp://griffithphoto.com/78wygGHDwf
hxxp://grlarquitectura.com/78wygGHDwf
hxxp://grossklos.de/78wygGHDwf
hxxp://gruporoados.com/78wygGHDwf
hxxp://gruppostolfaedilizia.it/78wygGHDwf
hxxp://guestbook.secraterri.com/78wygGHDwf
hxxp://hendrikvankerkhove.be/78wygGHDwf
hxxp://informatica.com/78wygGHDwf
The User-Agent to be used during the GET request is found within the code:
The GET request:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
As Lawrence Abrams from BleepingComputer explains, “Once the file is downloaded and executed, it will scan the computer for files and encrypt them. When this Locky variant encrypts a file it will modify the file name and then append the .lukitus. When renaming the file, it uses the format [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus.”
The executable that was dropped into %Temp% is deleted after Locky has finished encrypting the user’s files.
Then, the user will see ransom notes called lukitus.htm and lukitus.bmp on their Desktop.
Post-infection traffic shows the infected host making POST request to IP-literal hostnames. POST request were to 146.120.110.46 and the URI was /imageload.cgi.
The Reverse.it reports also shows more POST request to 46.183.165.45/imageload.cgi. The ET rule being triggered from this traffic is “ET TROJAN Locky CnC checkin”.
Hashes:
SHA256: be2c02d91b3878d80d5341efc875d954acb876e157dee64ba1a96ca1ac63a4e7
File name: 618385655.vbs
Reverse.it report
SHA256: 4a532b1ae572e708aed8efc2acfb9a056b5140b8e1dbf6c7a9a79be4cef8a141
File name: uEGvTvQ.exe
Reverse.it report
Until next time!
Article Link: https://malwarebreakdown.com/2017/08/30/img_-malspam-delivers-locky-ransomware-appending-the-lukitus-extension/