Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware

Update 2016-11-11:

It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals.

PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor to government employees as part of a spear phishing attack.

The email addresses associated with the OPM breach have not been actively circulated.  As such, it is incredibly unlikely that the threat actors have any detailed knowledge of who will be receiving these emails. Furthermore, PhishMe has not received any confirmation that anyone impacted by the OPM incident has received a copy of these emails. Many people who were not affected by the OPM incident and are not affiliated with the U.S. government also received copies of these messages and are also put at a very real risk by this ransomware.

***

A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. As we have noted in previous reporting, Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape.

One key example of this malware’s phishing narratives is a set of emails analyzed by PhishMe Intelligence this morning that cite the purported detection of “suspicious movements” in the victim’s bank account that were detected by the US Office of Personnel Management.

opm-ransomware-nov-2016

Screenshot of phishing message impersonating OPM

The ZIP archives attached to these messages contains a hostile JavaScript application used to download and run a sample of the Locky encryption ransomware.

This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors. Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.

If either of these implications bear any truth, the Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process. However, absent the reference to the Office of Personnel management, this set of emails would be just another set of phishing emails delivering Locky featuring strange word choice such as “suspicious movements” and “out account”.

These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.

Indicators of compromise related to this set of Locky emails are verbose—323 unique JavaScript application attachments were identified with the capability to download obfuscated Locky payloads from 78 distinct payload locations. These locations are listed below.

hxxp://cgrs168[.]com/xmej0mc

hxxp://acrilion[.]ru/84m9t

hxxp://geethikabedcollege[.]com/766epkuj

hxxp://thisnspeel[.]com/766epkuj

hxxp://thisnspeel[.]com/3ypojyl

hxxp://flurrbinh[.]net/7wi66hp

hxxp://vexerrais[.]net/6sbdh

hxxp://3-50-90[.]ru/u4y5t

hxxp://corinnenewton[.]ca/ctlt8b

hxxp://agorarestaurant[.]ro/cg06f

hxxp://abercrombiesales[.]com/nmuch

hxxp://flurrbinh[.]net/3nrgpb

hxxp://dmamart[.]com/c5l2p

hxxp://codanuscorp[.]com/ay5v52r

hxxp://cafedelrey[.]es/snby1c

hxxp://vexerrais[.]net/84fwijj

hxxp://dessde[.]com/zcwaya

hxxp://villaamericana[.]net/84fwijj

hxxp://ayurvedic[.]by/b9kk9k

hxxp://dowfrecap[.]net/3muv

hxxp://odinmanto[.]com/57evyr

hxxp://centinel[.]ca/wkr1j6n

hxxp://berrysbarber[.]com/q6qsnfpf

hxxp://antivirus[.]co[.]th/jukwebgk

hxxp://odinmanto[.]com/7gplz

hxxp://www[.]cutillas[.]fr/lmc80sdb

hxxp://365aiwu[.]net/hbdo

hxxp://comovan[.]t5[.]com[.]br/byev5nd

hxxp://alpermetalsanayi[.]com/vuvls

hxxp://bielpak[.]pl/a79a64h

hxxp://dowfrecap[.]net/7qd7rck

hxxp://babuandanji[.]jp/lq9kay

hxxp://pastelesallegro[.]mx/ex67ri

hxxp://archmod[.]com/sapma

hxxp://drkitchen[.]ca/y5jllxe

hxxp://earthboundpermaculture[.]org/okez95b

hxxp://eroger[.]be/918p2q

hxxp://avon2you[.]ru/ayz1waqm

hxxp://handsomegroup[.]com/ae2y1hr

hxxp://vexerrais[.]net/3nx3w

hxxp://cosmobalance[.]com/jsqlt0g

hxxp://assetcomputers[.]com[.]au/lkfpyww

hxxp://odinmanto[.]com/2rw

hxxp://dinglihn[.]com/zg3pnsj

hxxp://thisnspeel[.]com/2qrn06f

hxxp://adriandomini[.]com[.]ar/bq62dx

hxxp://inzt[.]net/lbrisge

hxxp://elektronstore[.]it/z298ejb

hxxp://donrigsby[.]com/nts0mk

hxxp://bjshicheng[.]com/blewwab

hxxp://ck[.]co[.]th/r2k6i

hxxp://abclala[.]com/r2kvg

hxxp://lashouli[.]com/rq4xoq

hxxp://flurrbinh[.]net/0nbir

hxxp://competc[.]ca/qrc9n

hxxp://dowfrecap[.]net/6f9tho

hxxp://chaturk[.]com/mxaxemv

hxxp://odinmanto[.]com/0cz2zwz

hxxp://dowfrecap[.]net/0d08tp

hxxp://dekoral[.]eu/twnyr1s

hxxp://chandrphen[.]com/h4b1k

hxxp://drmulchandani[.]com/d6ymtf

hxxp://edrian[.]com/dfc33k

hxxp://fibrotek[.]com/deoq

hxxp://vexerrais[.]net/1jk8n

hxxp://accenti[.]mx/nryojp

hxxp://cheedellahousing[.]com/h24ph

hxxp://elleart[.]nl/gn3pim

hxxp://edubit[.]eu/b6ye94wv

hxxp://bst[.]tw/gnjeebt

hxxp://85[.]92[.]144[.]157/y8giadzn

hxxp://thisnspeel[.]com/04u77s

hxxp://dunyam[.]ru/jge1b3e

hxxp://flurrbinh[.]net/6mz3c5q

hxxp://eldamennska[.]is/h4yim

hxxp://bepxep[.]com/mo05j

hxxp://dwcell[.]com/dph861ws

hxxp://apidesign[.]ca/ijau8q2z

However, only four hardcoded command and control hosts were found to be supporting this Locky instance. They are listed below.

hxxp://195.123.211[.]229/message[.]php

hxxp://188.65.211[.]181/message[.]php

hxxp://185.102.136[.]127/message[.]php

hxxp://185.67.0[.]102/message[.]php

Furthermore, a single payment site where the ransomware victim can pay the Bitcoin ransom in exchange for a purported decryption application was identified.

mwddgguaa5rj7b54[.]onion

 

The full PhishMe Intelligence report on this Locky analysis is available to PhishMe Intelligence clients here.

Never miss another phishing threat! Sign up for our complimentary Threat Alerts subscription service today.

Learn more about Locky and other ransomware threats at PhishMe’s Global Ransomware Resource Center.

Rohyt Belani Named a Technology Finalist in DC Inno’s 50 on Fire Awards

We are thrilled to announce that our Co-Founder and CEO Rohyt Belani has been named a finalist in the technology category for DC Inno’s 50 on Fire Awards. These are awards recognize the top 50 movers and shakers in Washington, D.C. across a variety of business verticals and practice, honored for their innovation, energy and contributions to their respective fields while making a big impact on the Washington, D.C. area.

Finalists have been carefully selected by DC Inno staff based on their 2016 editorial coverage of news and announcements, followed by an expert judging panel who will whittle down the top 50 honorees honored this year.

DC Inno recognizes professionals across a wide range of industry verticals, including: Community, Design, Education, Government & Advocacy, Healthcare & Medicine, Investment, Lifestyle, Marketing & Advertising, and Technology.

Read more about the 50 on Fire Awards on the DC Inno Blog.

Did you know that PhishMe was recently named one of the 50 Fastest Growing Private Companies of 2016 by the Washington Business Journal? Check out our recent press release to learn more.