About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware. Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day. This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware.
I haven't found much discussion about the current absence of Dridex/Locky malspam. Since the actor(s) behind Dridex started distributing Locky in back in February 2016 , I can't recall any lengthy absence of this malspam.
Of course, other campaigns are ongoing, so I figure it's time to review other examples of malspam. These campaigns are somewhat harder to find than Dridex/Locky malspam, but they're certainly out there.
However, my field of view is limited, and I can only report on what I'm seeing. With that in mind, this diary reviews two examples of malspam I found on Wednesday 2016-06-08.
Our first example was sent to one of the ISC handlers' email aliases. This example has a zipped .js file attachment.
Running the extracted .js file on a Windows host generated plenty of HTTP traffic.
I saw plenty of artifacts on the infected host, and at least one of the items appears to be Andromeda, based on alerts seen when I played back a pcap of the traffic in Security Onion using Suricata with the ETPRO ruleset.
The Snort subscriber ruleset also generated alerts on the same traffic that triggered Andromeda hits with the ETPRO ruleset.
Our second example is Brazilian malspam in Portuguese sent to a different email address. Instead of an attachment, this one has a link to download the malware.
The link from the malspam redirected to malware hosted on 4shared.com.
Here's what the HTTP traffic looked like from the infected host:
In addition to the HTTP traffic, I saw IRC activity on TCP port 443 from the infected host to a server on ssl.houselannister.top at 188.8.131.52.
Of note, the hostname/username for my infected Windows host in this pcap is a throwaway. Also, the IP address listed in the IRC channel is not the actual IP address of my infected host.
Alerts from this traffic show a Mikey variant, and this infection apparently added my Windows host to a botnet.
Indicators of compromise (IOC) - first example
Domain used for the initial malware download by the .js file:
Post infection traffic that triggered alerts for Andromeda malware:
Other HTTP traffic during this infection:
Indicators of compromise (IOC) - second example
Traffic to retrieve the initial malware:
Malspam is a pretty low-level threat, in my opinion. Most people recognize the malspam and will never click on the attachments or links. For those more likely to click, software restriction policies can play a role in preventing infections. And finally, people should be using properly administered Windows hosts and follow best security practices (up-to-date applications, latest OS patches, etc).
The same thing goes for Dridex/Locky malspam, which I expect will return soon enough.
But many vulnerable hosts are still out there, and enough people using those hosts are still tricked by this malspam. That's probably why malspam remains a profitable method to distribute malware.
Pcaps and malware for this ISC diary can be found here.
Jun 9th 2016
3 years ago
Arubis has published some interesting information regarding the activity of Necurs here: http://blog.anubisnetworks.com/blog/monitoring-necurs-the-tip-of-the-iceberg
and Proofpoint has published a recent blog on this as well: https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution
Jun 10th 2016
3 years ago