Locky Ransomware Keeps Returning After Repeated Absences

It seems that each time the information security community is ready to declare the Locky ransomware dead and gone, phishing threat actors launch new campaigns with new characteristics.

Locky’s presence on the threat landscape dates back to February 2016 when this malware formalized and matured the ransomware business model in phishing emails. Coupled with a tenacious distribution strategy, Locky dominated the phishing markets throughout 2016. Since early 2017, Locky’s presence on the threat landscape has been far more tepid. Its subdued presence on the threat landscape and intermittent distributions led to rumors that Locky was a thing of the past; many people were surprised when new Locky distributions took place. However, it is clear that despite a smaller degree of tenacity in deployment, the criminals using the Locky ransomware still see benefit from its use. And incremental changes in behavior indicate that these criminals are investing in future use, as well.

The most recent iterations of Locky distributions have replayed some of the simplest techniques for this malware’s distribution in phishing emails. The lures used in these phishing emails make vague references to document delivery, unpaid invoices, received voice mails, or receipts for payments, all examples of content used prolifically in the distribution of ransomware and other malware tools. Some standout examples demonstrate the compelling, yet vague messaging used to deliver this destructive malware.

Figure 1 – Locky phishing emails leverage vague, yet compelling narratives

While attackers continue to use similar phishing emails, the most recent Locky binaries demonstrate that small, incremental changes to the malware’s behavior are being implemented. These changes are mostly superficial but serve to break from expected norms in small ways. The first change, and likely the one to garner the most attention, was the use of two new file extensions applied to files encrypted by the ransomware. Previous iterations of Locky deployments have used extensions ranging from the sensible “.locky” to the more esoteric “.osiris”, “.odin”, and “.aesir” extensions.

In the past two weeks, two new, distinctive extensions have been used. The first, “.diablo6”, evokes a more intimidating ethos for the ransomware. Other samples use “.lukitus”, likely evoking the Finnish word for “locking.” Additionally, a more significant modification comes in the command and control callback resources leveraged by the ransomware to report new infections.

One of the simplest techniques for identifying a malware variety and its communications is to match suspicious traffic to known resource paths used by that malware. For many Locky samples in 2017, command and control resources could be identified by the presence of a “/checkupdate” callback URI path. However, this has also been replaced in recent samples that apply the “.lukitus” encrypted file extension by a “/imageload.cgi” resource path. For very tightly-tuned detection schemes, this change could result in the latter being categorized incorrectly because it represents a departure from the established norm for this malware.

Locky “.diablo6” sample check-in URLs
hxxp://83.217.8[.]61/checkupdate
hxxp://91.234.35[.]106/checkupdate
hxxp://31.202.130[.]9/checkupdate

 

Locky “.lukitis” sample check-in URLs
hxxp://185.17.120[.]130/imageload.cgi
hxxp://185.75.46[.]220/imageload.cgi
hxxp://192.162.103[.]213/imageload.cgi
hxxp://109.237.111[.]179/imageload.cgi
hxxp://78.108.93[.]185/imageload.cgi

Figure 2 – Small changes to command and control callback destination

Despite the numerous stories about Locky “comebacks,” each additional return to prominence serves as a reminder that the Locky ransomware and the business model it supports is a valuable monetary strategy for threat actors. As a result, it is unlikely that Locky will be fully unseated as a premier ransomware tool until a truly superior replacement emerges. Until then, it is imperative that network defenders and information security professionals continue to leverage intelligence on the behavior, techniques, and modifications exhibited by criminals deploying the Locky ransomware.

Use PhishMe® to condition your employees to recognize, report, and respond to these growing threats.

Zeus Panda’s Modular Functions Provide Insight into Botnet Malware Capabilities

One core element of the information security mission is the successful assessment of the risk posed to an organization by a malware sample or malware variety delivered by a phishing email. In 2017, phishers have embraced the use of adaptable and flexible malware to gain initial footholds in a network before monetizing the infected host. The intersection of these two missions creates a scenario in which open-ended, adaptable botnet malware challenges information security professionals to prepare for a wide array of malware capabilities–in some case without much insight into the real risks posed by a malware tool.

However, in some cases a malware tool can reveal most, if not all, of its capabilities in a way that helps an organization identify malware risks. The Zeus Panda botnet malware is one of the more popular malware tools this year, and its use has been documented in numerous phishing attacks. It wholly embodies the principles of a multipurpose botnet tool by providing threat actors with a number of avenues for monetizing infected hosts. The tenacity and creativity with which threat actors have delivered this malware makes it a prominent constituent of the threat landscape but with limited expressions of its capabilities. Yet, understanding those capabilities is crucial for network defenders to understand the impact this malware can have within a protected environment.

Through analysis of behavior exhibited by Zeus Panda samples, PhishMe researchers uncovered a comprehensive assessment of this botnet tool’s capabilities. These capabilities were described through a list of module commands to either execute a task or update a module to support enhanced capabilities. The list below lists some operations for these modules.

Zeus Panda module tasks
mod_execute grab2 user_cookies_get
mod_execute grab2 user_passes_get
mod_execute info get_info
mod_update grab2
mod_update http
mod_update info
mod_update klog
mod_update pony
mod_update socks
mod_update vnc_p
mod_update vnc_p2
mod_update vnc_p3
user_execute url

Figure 1 – Zeus Panda modules provide a great deal of information about its capabilities

These module execution and update references can be interpreted as a guide to the capabilities of the Zeus Panda malware. For example, “grab2 user_cookies_get” and “grab2 user_passes_get” both imply that information stored in a browser cookie cache or password safe may be available to the “grab2” module. This could provide an avenue for threat actors to steal browser-session data or passwords for reuse. Similarly, the “info” module may provide reconnaissance about infected environments via the collection of information about the infected host. This information can be in turn leveraged in conjunction with the “user_execute” command to customize an attack through the deployment of a more specialized malware tool.

Other available modules–“klog”, “pony”, and “socks”–imply keylogger, Pony information stealer, and SOCKS proxy capabilities are available to the threat actor. Each of these would greatly enhance the threat actor’s insight into victim activity, stored passwords and credential data, and the ability to abuse the infected machine as a network proxy or traffic relay respectively. Additionally, a series of VNC modules would give the threat actor an option for full remote control of infected hosts.

Each of these elements from this brief list of module execution and update operations can be used to provide network defenders and information security professionals with an assessment of the risks posed by Zeus Panda. Furthermore, if a sample of this malware is present within a protected environment, comparing network communications and endpoint artifacts with this list of capabilities can help in the response process as well.

As malware creators and phishing threat actors further commoditize malware tools to maximize their opportunities and options regarding infected hosts, collecting intelligence on the capabilities available to those threat actors becomes increasingly important. A comprehensive defense strategy must include response plans and anticipatory defenses to limit a malware’s impact as well as prevent its successful deployment. The first step is empowering email users to recognize phishing techniques and report suspicious emails. Beyond this crucial first step, responders must be empowered to understand the risks posed by the malware these emails deliver to better defend the enterprise.

Don’t become another statistic: PhishMe® is now FREE for small businesses under 500 employees. Learn more.

Even the “Smart Ones” Fall for Phishing

It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement[1] about a phishing incident last week, even smart developers can be fooled with a phish.

As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store.  This means that the Copyfish plugin built by a9t9 was no longer under its control.  Meanwhile, the plugin has already been used to “insert ads/spam into websites” according to the statement by a9t9.

The original phishing message that lured the developer carried a link on the URL shortening service called Bit.ly.  As Tripwire explained, the victim did not notice the odd link because he was viewing the message in webmail.  However, in the screenshot of the message in its text format, the Bit.ly link is clearly-visible.  One of the great features of Bit.ly for those creating “bitlinks” is that you can view statistics about the locations and user agents of who clicks on your link.  Others can also see a few stats by appending a plus (+) sign to the end of the URL.  Below is what we saw when we did this:

The stats tell us that the bitlink was created on July 28th and leads to a URL on rdr11.top, a domain first registered on that same day via NameCheap but under privacy protection.  Once the victim clicked on the link, he was redirected to the rdr11.top URL which itself then redirected to a URL on chrome-extensions.top, to the page[2] seen below:

The domain chrome-extensions.top was also registered via NameCheap using privacy protection on July 28th.

The rdr11.top and chrome-extensions.top hosts resolve to Saint Petersburg, Russia, IP address 31.186.103.146, part of a /23 net block owned by Moscow Selectel Service.

Also known to resolve to have resolved to 31.186.103.146 is the domain chrome-extensions.pro, registered July 21st with NameCheap, using privacy protection.

A third resolution to the same IP, 31.186.103.146, was the phishy-sounding domain cloudflaresupport.site, also registered via NameCheap under privacy protection, on July 18th.  A similar domain, cloudflaresupport.info, was registered with NameCheap on June 21st and even used the Cloudflare service for phishing Cloudflare accounts, but it is now under Cloudflare’s control.  See the tweet[3] below that included screenshots of the phishing message and spoofed Cloudflare login page:

 

In the Comments of that tweet are screenshots showing further redirection to a Google login phishing page on webstoresupport.top, registered with NameCheap using privacy protection on June 20th.  Other comments reveal that on June 21st CloudFlare actively engaged the customer support software ticketing service being used by the threat actor to send the phishing messages, FreshDesk.  However, a9t9’s statement mentions that FreshDesk was still being used on July 28th when the a9t9 developer was lured in by a phishing email message.

Bottom-line

There are some lessons that can be learned about two factor authentication for such important accounts as your Chrome Store or Cloudflare logins; however, the main issue here is that the victim was not even thinking about the possibility of phishing while responding to his email messages. Phishing, now commonly used against all types of accounts and for increasingly-creative purposes, is known to be the number one way that attackers breach our critical processes, steal our intellectual property, and bring businesses to a screeching halt.  We can also thank a9t9 for owning up to its mistakes so that we can all learn from them.  Their share helps us to connect the dots and discover more about the phisher and his methods and infrastructure.

You can use PhishMe to make sure your employees know how to recognize, report, and respond to these growing threats.

References:

[3] https://twitter.com/LawrenceAbrams/status/877666254974316544

[2] hxxps://login.chrome-extensions.top/ServiceLogin/?https://accounts.google.com/ServiceLogin?service=chromewebstore&passive=1209600&continue=https://chrome.google.com/webstore/developer/dashboard&followup=https://chrome.google.com/webstore/developer/dashboard

[1] https://a9t9.com/blog/chrome-extension-adware/

Threat Actors Use Advanced Delivery Mechanism to Distribute TrickBot Malware

Threat actors’ consistent pursuit of improved efficiency is a key characteristic of the phishing threat landscape. One method for improving efficiency is to use a unique delivery technique that not only allows threat actors to distribute malware but also succeeds in evading anti-virus software and technologies.

Ribbon Cutting – Running Macros with CustomUI Elements

PhishMe® Research has generally seen macro execution in PowerPoint tied to specific actions and events, such as a mouse interaction with an object or custom actions. But the “Ribbon Cutting” technique uses a different method; it runs macro code by creating a UI callback that is triggered when the file is opened. Although in the example below we use PowerPoint, the technique can be used in other Office applications that support ribbon customizations.

Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file [1], once downloaded, it masquerades its icon as a PDF. 

Karo Ransomware Raises Stakes for Victims by Threatening to Disclose Private Information

A ransomware victim must have a compelling reason to go through the burdensome process of obtaining Bitcoin and paying the ransom. For many victims, the threat of permanently losing access to their files is enough. However, some ransomware authors and criminals seek to push victims harder by raising the stakes even further.

Threat Actors Continue Abusing Google Docs and Other Cloud Services to Deliver Malware

A key part of phishing threat actors’ mission is to create email narratives and leverage malware delivery techniques that reduce the likelihood of detection. By combining compelling social engineering with seemingly benign content, threat actors hope to bypass technical controls and to convince their human victims of a phishing email’s legitimacy. One method with a long history of use is the abuse of Google Docs file sharing URLs to deliver malware content to victims. Because Google Docs and other cloud services may be trusted within an enterprise, threat actors will continue to abuse file sharing services to possibly bypass firewalls and anti-virus technologies.

Petya-like Ransomware Triggers Global Crisis with Echoes of WannaCry Attack

For the second time in as many months, networks around the world have been attacked using a worming ransomware that gains new infections by exploiting a recently-patched Windows SMB vulnerability among other proven techniques. What has been described a ransomware bearing significant similarities to the Petya encryption ransomware ravaged numerous companies and networks around the world with disproportionate impact in Ukraine and Eastern Europe but also inflicted harm to significant numbers of victims in Western Europe and North America.