Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. However, late in 2016 Locky distribution declined dramatically largely due to the slowdown of Necurs that occurred at the same time.
On April 21st, Talos observed the first large scale Locky campaign in months from Necurs. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.
The campaign itself is similar to most spam campaigns Talos observes. There were several different emails associated with the campaign designed around payments/receipts or scanned images. Below are some examples of the emails that were observed.
|Sample of Receipt/Payment spam campaign|
As shown, there is no body in the email and the subject has several variants usually starting with "Payment" or "Receipt" and including several numbers. Some examples can be found in the IOC section of this blog. The filename itself also changes slightly but uses the naming convention beginning with the letter "P", followed by between 3 and 5 digits. One interesting aspect of this campaign is that the subject lines are only seen a couple of times before changing. The second portion of this campaign did not follow the same methodology.
This campaign used the same subject line for tens of thousands of messages. The attachment name was customized based on the email address used to distribute locky. These emails do have a typical body that would be associated with scanned image or document. This too included a malicious PDF.
The technique used by the adversaries to deliver locky was just recently used to deliver Dridex and made use of PDF document with embedded word documents. These word documents then use macros to pull down the locky sample and encrypt files. There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies. This is a sample of the PDF document.
As shown the document itself only has text referencing another file that is a series of numbers. Also notice the pop-up box requiring the user to click 'ok' in order for the file to be opened. In this case it was a .docm file that has the same filename that is referenced in the PDF.
The word document itself contains an XOR'd Macro that downloaded the Locky sample from what is likely a compromised website. After infection the Locky sample used the /checkupdate C2 structure that has been previously used by Locky.
Below is a graphic showing how the Locky campaign has led to a spike in DNS requests associated with the domain serving the malware. It's difficult to determine if these requests are from victims or the many security practitioners that are investigating this widespread campaign. Regardless it is obvious that this is the most traffic that particular domain has seen.
Below is a video showing the full infection chain from email to PDF and finally to Word Document leading to a successful Locky infection.
IOC Hashes (PDFs)
Hashes (Word Docs):
Scanned image from MX-2600N (Largest scale with single subject)
Receipt (Variants include mix of characters like - or _ and a series of numbers i.e. Receipt#25088)
Payment (Variants include mix of characters like - or _ and a series of numbers i.e. Payment-7084)
Payment Receipt (Variants include mix of characters like - or _ and a series of numbers i.e. Payment Receipt_67467)
Ransomware's monetary draw has continued to push it to the forefront of the threat landscape. Locky had prolific distribution for the majority of 2016, but has been largely absent for 2017. This could be the first significant wave of Locky distribution in 2017. The payload hasn't changed but they methodology has; the use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky. This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user's mailbox.
Adversaries will continue to evolve to try and maximize their profits. This is just another example in a long line of evolution that email based malware delivery has gone through. For a time PDF based compromise was down significantly and word macro based compromise up. In this campaign they figured out how to disguise a macro laden word doc in a PDF, compromising victims around the globe.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
Email Security can block malicious emails sent by threat actors as part of their campaign.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network