This is just a very quick post to go over a recent ransomware incident. It appears that the first link in the infection chain is down now so, unfortunately, I was unable to obtain a Fiddler capture.
An email was received with a familiar social engineering attempt:
Hovering over the link shows that it will take you to:
bjp.co.id/voice.html
When you click the link to “listen to the Voice Message”, an iframe on the voice.html page redirects you to:
spartoldreputhec.info/msg.php
This page automatically pops up the following prompt for you to download the “voice message”:
A quick look at the downloaded Javascript file shows that it’s fairly obfuscated but something noticeable jumps out right away:
(click the graphic for a larger version)
It is easy to see the repeating “temperaturepw” throughout one section of the script. You can also see that running the script will just replace all instances of “temperaturepw” with an empty string. You can do this manually and you’ll see something that is even more interesting:
(click the graphic for a larger version)
There are now four URIs that show up in the script. I suppose that we could continue to try to deobfuscate the script further but, to be honest, I’m just interested in the URIs that we’ve found. Here they are more clearly:
All of the links worked at the time of this writing except for the 2nd one.
The executable files are not particularly fresh. VirusTotal had a detection rate of 21/64 – not great but certainly a good indicator that something isn’t right. In the interest of time, decided to go straight to running one of the files in my lab. As expected, it was ransomware.
The very helpful ID Ransomware website (https://id-ransomware.malwarehunterteam.com) identified it as Locky.
Perhaps most troubling was the fact that Security Onion didn’t pick up anything unusual (other than the download of the PE files).
As mentioned at the outset, this was just a short exercise. Without any significant deobfuscation headaches, we were able to quickly retrieve the malicious payload and identify the malware.
Article Link: http://executemalware.com/?p=403