Off-the-shelf Zyklon Botnet Malware Utilized to Deliver Cerber Ransomware

Recent, large-scale distributions of the Zyklon botnet malware mark a continuing trend of off-the-shelf malware use. This multipurpose trojan, capable of supporting numerous criminal activities, has been identified in phishing attacks more and more frequently through the month of April. The bulk of these campaign have leveraged resume- and job-applicant-themed messaging as in the phishing narrative. The most recent analyses of this distribution have shown that the threat actors are attempting to leverage the malware’s full feature set by not only using it as an information stealer, but also as a downloader used to obtain and deploy the Cerber ransomware to infected endpoints. This technique demonstrates threat actor resourcefulness as well as the increasing commodification and democratization of malware utilities once reserved for only the most-technically-capable threat actors.

Malware Delivery OLE Packages Carve Out Market Share in 2017 Threat Landscape

In the first quarter of 2017, PhishMe Intelligence has noted an increase in malware distributors utilizing OLE packages in order to deliver malware content to victims. This current trend was first noted in December 2016 with close association to the delivery of the Ursnif botnet malware. This technique abuses Microsoft Office documents by prompting the victim to double-click an embedded icon to access some content. These objects are used to write a script application to disk that facilitates the download and execution of a malware payload. This method adds to another iteration of techniques threat actors use to evade anti-analysis and sandbox environments and to successfully infect the intended recipient.

Dridex Threat Actors Reinvigorate Attacks with Sizable, Concurrent Campaigns

One of the most historically effective techniques for gaining new infections for the powerful Dridex botnet malware has been sizable sets of widely-distributed phishing email. While these large campaigns have been intermittent for several months, the past week’s Dridex distributions have shown a renewed vigor with several larger campaigns being launched both concurrently and repeatedly. Many of these campaigns return to well-used and previously-successful email templates and malware delivery tools that had seen earlier utilization in conjunction with both Dridex deliveries and the delivery of other malware tools.

On March 30, 2017 three distinct sets of phishing emails were identified as delivering the Dridex malware. Each was a rehashing of a previously-used phishing narrative. The emails analyzed for Threat ID 8692 pretended to represent communication from a travel agency based in the United Kingdom confirming the recipient’s vacation travel has been booked. Other emails, delivered concurrently, purposed to deliver a vaguely- described “confirmation” as analyzed in Threat ID 8693. Furthermore, Threat ID 8700 documents a set of messages purporting to deliver a notice that an image attachment was ready for sending in yet another vague phishing narrative. Examples of these messages can be seen in Figure 1.

Figure 1 – Examples of Dridex phishing emails from March 30, 2017

The message narrative used in these campaigns should be familiar to information security professionals following Dridex as they represent similar themes to earlier Dridex campaigns. The impersonation of small- and medium-sized firms based in the United Kingdom was previously a common theme among Dridex delivery emails. This preference in content may serve to indicate a preference for a population with which those emails are meant to have disproportionate appeal. However, it appears that these emails were still delivered globally. The other repeated narrative seen once again today is a vague informational message about the status of an image attachment that has been readied for sending. Similar narratives have been used a half-dozen times in the delivery of Dridex since July 2015.

While the Dridex botnet malware’s users are launching phishing campaigns with renewed vigor, their stories and tools have stayed the same. This provides a distinct advantage to threat intelligence users who have access to repositories of information on the tactics, techniques, and procedures related to earlier attacks. It also provides an advantage to organizations whose email users are prepared and empowered to identify and report suspicious emails. Empowered recipients of messages like these are able to recognize the lure and instead of becoming victims, can make a difference for their organization by reporting the email.

Emails based on the threats shown in this blog post are also available as templates in PhishMe Simulator.

For further information on the Threat ID’s mentioned in this post, PhishMe Intelligence customers can log into https://www.threathq.com.

For more information on PhishMe’s human vetted, phishing-specific threat intelligence request a demo today.

What is Actionable Intelligence?

Do you know what is actionable intelligence? Do you know the difference between threat intelligence and actionable intelligence? If not, read on.

The term actionable intelligence has joined the ranks of threat intelligence, big data and more words that are used in well-meaning ways, but are ultimately meaningless.

Don’t get us wrong, like many other vendors, we use these phrases to describe what we do. However, because there are so many companies out there using these terms with their own meanings attached to them, we feel the need to write this blog post and hopefully do right by the technology and service offerings that are transforming the way that we approach today’s cyber threats.

In fact, there was a recent LinkedIn discussion on this very topic. A LinkedIn user posted this question:

What exactly is “actionable intelligence”? I see a lot of start-ups being created by MBA persons who have no background or credentials in IT security. The product they offer for big fees is known as “actionable intelligence”. They are trying to duplicate for businesses what the NSA, CIA, FBI, and DHS are doing for, and within, the federal government. My question is: how can these companies have the manpower and the resources to provide services like the NSA, CIA, FBI, DHS. We all have heard of the failures in intel coming from the best intel services in the world, i.e. NSA, CIA, etc. Those big boys have failures. What should we expect from these start-ups and your companies that are jumping on the bandwagon.? And these companies do not know of the ordinary IT security practices like defense in depth, hardening systems. They are providing intelligence about the “bad guys”. How do they go about getting this intelligence? It is so secretive how does a CISO know if it is worth anything?

As the following definition from businessdictionary.com provides, actionable intelligence is not relegated to security; maybe that’s why ‘MBA person with no security credentials’ feel they can use it or may actually know something about it from usage in a different field:

“Any intelligence can be used to boost a company’s strategic position against industry peers. The acquired intelligence must be transferred into real actions which can be used to either launch a preemptive strike or prepare a counter strategy. Examples include the competitors’ price range, marketing budget, target demographic, advertising campaign and strengths over a company’s own product. Overly aggressive attempts to gather intelligence from competitors may be illegal and constitute corporate espionage.”

Now onto some of the other questions posited: Let’s get into the context of security. Here is one definition that’s pretty good:

“Actionable Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.”

Not perfect, but not bad.

As for the vendors’ size, not everyone in the market of ‘threat intelligence’ is small – by the way, the industry analyst group The 451 estimates there will be $1.2B in spending this year and IDC thinks spending will be $1.8B. Symantec, Cisco, Intel/McAfee, IBM and many other large traditional security vendors have acquired threat intelligence offerings.

As for the startups and whether or not they can compete, the question isn’t one about manpower as you refer to with major security agencies; instead it’s about their technology and its ability to provide value. If they can provide that value with one person their ‘actionable intelligence’ will be purchased. And yes, just like traditional defense in depth systems, threat intelligence is not a panacea for the woes of security. However, the reality of failures of current defense in depth, hardening and other current security techniques has to be acknowledged. Many organizations realize that ‘defending’ and ‘responding’ is no longer as effective as it used to be, and that being intelligence led is required. Why? The hackers, the bad guys, are winning more and more.

As for traditional security (defense in depth, hardening, Etc.), I don’t think anyone would ever suggest that you not use these and other network defenses. And these threat intelligence vendors don’t either. The traditional security systems and methods play a vital role in securing your network, even if they have their individual shortcomings. Their efficacy can be raised, however, when given the right kind of intelligence that has an immediate impact on network security. Threat intelligence can make these devices smarter and the security professionals who are too few and overworked, ‘smarter’ about how to stop and prevent attacks.

As for how they get their intelligence, its different by vendor and it’s a great question to ask them if you evaluate their offerings.  And try before you buy—just like anything else—and that way you will know if it has value—and so will your CISO!

Got Any Good Phishing TIPs?

PhishMe Intelligence Integrates with Industry Leading Threat Intelligence Platforms (TIPs)

Swimming in a sea of threat intelligence indicators and services, security teams have been working towards effective ways to centralize, de-duplicate, and correlate massive amounts of threat data. The challenge is once this is done, acting on the what matters most. This requires intelligence, not just data.

This is why PhishMe has completed technical integrations with TIP partners Anomali™ and ThreatConnect®. These integrations offer security teams the ability to ingest and correlate phishing-specific indicators with easy-to-act-on impact ratings and contextual reports to make confident security and business decisions.

PhishMe Intelligence customers gain from our human-verified phishing intelligence. What does this mean? It means that our customers receive phishing indicators from daily criminal phishing campaigns such as compromised IP addresses, domains, URLs, hashes, and botnet and command and control infrastructure. These indicators and credible intelligence reports are meticulously maintained and verified by PhishMe security researchers. Customers receive expert phishing intelligence that connects indicators with threat actors’ infrastructure so that security teams can confidently act quickly and accurately in their investigations.

PhishMe precisely delivers timely indicators and intelligence about ransomware, business email compromise, credential-stealing phish, and other malware. It is the timeliness and accuracy that is so crucial because the longer it takes security teams to determine the impact and severity of the threat, the more time the attacker has to plot their next move and achieve their mission.

When PhishMe designates an indicator with a major impact rating, teams can heed this warning and confidently take action. PhishMe doesn’t just tell security teams what is malicious, we explain why something is malicious. This is the context that allows analysts to act on the data analyzed and enriched by trustworthy PhishMe researchers.

PhishMe also helps answer the never-ending question; “is this a threat to my business”? The Active Threat Reports are contextually-rich reports that illustrate threat actor tactics and the neighboring criminal infrastructure that supports their operation. The reports take “so what” about an indicator, and provide an inside-out view of the threat actor and tactics.

Security analysts spend less time deducing and more time executing.

Security teams invest in TIPs as a way of bringing multiple sources of data into a centralized location that can be correlated and then distributed to other systems as part of the workflow. Open source, paid subscription, and industry-specific intelligence exchanges, all provide a useful purpose in managing threats to the business. The difficulty is managing vast amounts of data and ensuring a low signal-to-noise ratio. As such, TIPs emerged to support the endless need for data analysis and decisive action.

PhishMe Intelligence product management and solution engineers collaborated with TIP providers to complete technical integrations suited for security teams accountable for defending the business.

Conclusion

TIPs emerged to help security analysts who are inundated with so much information and the need to centrally manage it. They’ve become a concentrated repository for security teams to ingest, de-duplicate, analyze, and act on the indicators received. PhishMe’s technical partnerships with Anomali and ThreatConnect, will help ensure that the quality of intelligence available is second to none when it comes to indicators of phishing. Phishing is the primary vector of compromise and oftentimes leads to data loss. Consuming human-vetted phishing intelligence into a TIP ensures security teams can be confident in the action they take to protect their business.

Fortifying Defenses with Human-Verified Phishing Intelligence

Mining Phish in the IOCs

PhishMe® and Palo Alto Networks® are providing security teams with the ability to ingest human-verified phishing intelligence in a standard format that can be automatically enforced as new protections for the Palo Alto Networks Next-Generation Security Platform through the MineMeld application. Through this integration, PhishMe and Palo Alto Networks are providing a powerful approach to identifying and preventing potentially damaging phishing attacks.

The challenge of operationalizing threat intelligence

Ransomware, business email compromise (BEC), malware infections, and credential-based theft all primarily stem from a single vector of compromise – phishing. Operationalizing threat intelligence, especially when it comes to phishing, continues to weigh on the minds of businesses regardless of size. Security teams require the ability to ingest, verify and enforce new protections for potential phishing attacks, all within their existing infrastructure.

Where are the Phish?

PhishMe extends beyond a traditional data feed. Customers receive phishing intelligence. What’s the difference? Intelligence, vs. traditional data.

Information without context is data. Intelligence is information with context, and context is what security teams require in order to have confidence in their decisions.

Intelligence customers receive indicators specific to phishing and their criminal command and control (C2) and botnet infrastructure associated with malware families like Locky, Dyre, and Cerber. This is then backed up by threat intelligence reports with verbose context that provides security teams with insight into attacker TTPs.

PhishMe identifies what is nefarious, but more importantly, why, and what it means.

Integration Tackle Box for PhishMe and Palo Alto Networks

Security teams who wish to easily complement their Palo Alto Networks Next-Generation Security Platform’s security policies with PhishMe Intelligence will need an instance of MineMeld (version 0.9.26 and above) and PhishMe Intelligence API credentials (contact PhishMe for trial access https://phishme.com/product-services/live-demo). MineMeld will ingest intelligence from PhishMe, and can automatically feed new prevention controls to Palo Alto Networks devices, without adding heavy operational burden.

Configuring MineMeld with PhishMe

The following is a step-by-step guide to configure MineMeld in order to ingest PhishMe Intelligence phishing URLs, aggregate them, and construct into an output capable of preventing malicious URLs in security policies within PAN-OS devices. Before we dive into the configuration of MineMeld, it is important to review the three key concepts behind the application:

  • Miners: responsible for retrieving indicators from configured sources of intelligence and data feeds. Miners will bring in new indicators on a configurable, periodic basis, and also age-out any indicators that are no longer needed.
  • Processor: The processor node will aggregate the data obtained by the Miner and conforms the data to IPv4, Ipv6, URLs, or domains. Once aggregated, the data is sent to the output nodes.
  • Output: The output nodes gather data from the processor node and convert the data into a format that is capable of being consumed by PAN-OS (and other non-PAN-OS external services)

PhishMe Intelligence Miner Node

(Image of Miner Node with API credential example and phishme.intelligence prototype)

Processor Node

(Image of Processor Node using the stdlib.aggregatorURL prototype and the PM_Intel input from the configured Miner)

Output Node

(Image of Output Node using the stdlib.feedHCRedWithValue prototype and the agg_URL_all input from the configured Processor)

Configuration Graph Summary

The configuration graph is a summary exhibiting the flow of PhishMe Intelligence. The miner collects intelligence, aggregates, and the output node structures the data to be usefully applied to prevent phishing.

(Example of PhishMe Intelligence aggregated and with output URL data for PAN-OS)

Log Detail with URL Indicator and High Confidence rating of 100

The image below represents an example of URL intelligence received in the MineMeld log. This snippet specifies a malware payload from an OfficeMacro and TrickBot (similar to Dyre) family. If they choose to, analysts can then use the URL to the Threat Report with executive and technical details that explain more about the malware.

The above summarization of the MineMeld setup portrays how easy it is to take very relevant and useful information and structure it so that it can be operationalized with other security investments. Far too often teams have underutilized technical resources or processes that place a strain on the workforce. MineMeld reduces the human burden and provides security teams with the ability to create actionable prevention-based controls.

Phishing Intelligence Operationalized = PhishOps!

Let’s review an example of how to operationalize these indicators of phishing (IoPs) and apply them to a Palo Alto Networks security policy to deny egress traffic to these phishing URLs.

Create New Object in PAN-OS

From the Objects tab, select External Dynamic Lists from the navigational pane. Analysts just need to provide the relevant information to pull in the list of URLs from MineMeld.

(Example of External Dynamic List linking to URL list from MineMeld)

Apply to PAN-OS Security Policy

With the External Dynamic List defined, security policies can now be created based on acceptable criteria. In the case below, inside sources browsing externally and matching the PhishMe Intelligence URLs will be denied.

(Example policy to deny inside to outside web-browsing against PhishMe Intelligence URLs)

FINito! Wrapping up

A similar process can be repeated like the above, with IP lists and domains, and applied according to phishing threats facing the business. The way MineMeld handles the data received makes applying it to Palo Alto Networks Next-Generation Security Platform very effective. Security teams will need to determine where they want to apply the policies once MineMeld has compiled the data.

The phishing threat is alive and very well and the ability for security teams to maximize their investments and operationalize with low administrative overhead should be enticing to tackle the threat.

 

More about MineMeld:

MineMeld, by Palo Alto Networks, is an extensible threat intelligence processing framework and the ‘multi-tool’ of threat indicator feeds. Based on an extremely flexible engine, MineMeld can be used to collect, aggregate and filter indicators from a variety of sources and make them available for consumption to peers or to the Palo Alto Networks Next-Generation Security Platforms.

To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

To learn more about the PhishMe Intelligence, visit:  https://phishme.com/product-services/phishing-intelligence/.  

 

A Warning on Christmas Delivery Scams

The time of year has once again arrived when post offices are busier than the freeway on a Friday evening. We buy gifts, online and in stores, and we send and expect packages to and from the far corners of the country, continent, and even the world.

Yet behind this frenzy of merriment skulk a series of dangers. Although Christmas is still more than a month away, scammers of this kind have already been active in various areas across the US. For a number of years, security experts have grown to expect a hike in the number of internet scams being spotted around the festive period, from fake deal websites to counterfeit greeting ecards. One example is becoming highly-popular among threat actors and is better positioned to trick even the most security-aware individual: failed delivery phishing scams.

UPS estimates that in the U.S., more than 630 million packages were delivered by shoppers during the holiday period last year, and FedEx predicts  317 million shipments between Black Friday and Christmas Eve. With all this holiday mail, not to mention everyone out and about to prepare for their celebrations, it is not surprising to find a “delivery failed” notice in your inbox. If the message concerns something needed by Christmas, the annoyance at having to re-organize a delivery can make us act rashly and even foolishly.

It is widely-known that the keys to successful social engineering are fear and greed.  When presented with compelling stimuli under these categories, criminals can count on a significant number of their potential victims briefly suspending their information security awareness training and clicking the link.  As Christmas approaches, certain malware families such as ASProx may have high-volume spikes, taking advantage of shoppers lowering their guard.  In December 2014, spammers used ASProx to deliver fear in the form of a Failed Delivery email from big, respected brands like CostCo, BestBuy, and Walmart.  Recall that PhishMe’s Gary Warner identified more than 600 hacked websites that were used as intermediaries to prevent detection by causing the spammed links to point to websites that had been “known to be good” until the morning of the attack.

So who should be on the lookout for these scams, and what can be done to protect Christmas shoppers?

Basically everyone, from individual consumers to massive businesses, should be on high alert. Though we should not let scammers turn shoppers into paranoid victims, being able to spot the details that reveal a scam can be the only thing standing between a scammer and your personal or company bank account details. While Christmas scams are thought of as dangerous, if the computer used to access these websites is a company or government computer, these scams can have a wide-ranging and long-term impact. And with nearly , this is a subject to take extremely seriously.

So be vigilant, and have a very merry (and scam-free) holiday season.

 

Did you know that 97% of phishing emails delivered in 2016 contained ransomware? Learn more by downloading our latest Q3 Malware Review.

Beware: Encryption Ransomware Varieties Pack an Extra Malware Punch

As the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines. Much of the innovation seen in 2016 was focused on defying the expectations for how ransomware is delivered such as steganographic embedding of ransomware binaries, other forms of file obfuscation, and requirements for command line argumentation. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor.

While it is easy to be caught up in hype regarding the smallest alteration to ransomware behavior, sometimes a step back and a look at the ransomware business model is more helpful. While the alteration in the extension given to files encrypted by Locky may be easy fodder for blog posts, changes like the addition of the “.shit” extension is likely little more than a jab at information security researchers who have placed a significant amount of stock in the extension applied to encrypted files. Simply put—changing the file extension used by this malware doesn’t fundamentally change how the malware impacts victims. And most victims probably don’t care what extension is applied to their now-inaccessible documents. Most importantly, it does not impact how the threat actor intends to generate revenue from that new infection.

Many of the changes seen in ransomware delivery through 2016 have supported the core of the business model by guaranteeing the maximal number of infections. Innovative means of bypassing controls, frustrating analysis, and creating difficulties for incident response were all created by defying certain expectations. These were all put forward as ways to ensure victims are infected by the ransomware and put into a position where they may be compelled to pay the ransom and thereby monetize the infection for the threat actor. However, as the public becomes more and more aware of ransomware threats through journalistic outlets and the advice of security professionals, threat actors face more challenges in successfully monetizing the deployment of their tools. The longevity of ransomware as a viable criminal enterprise relies upon the continued innovation that ensures threat actors can deliver and monetize infected machines.

One arena in which few ransomware developers have made forays is the capability to repurpose infected machines for other criminal endeavors. Widespread usage of ransomware as a first-step utility is still uncommon among the most prominent ransomware varieties as is the side-by-side delivery of other malware utilities via phishing email. However, this capability would be a simple addition to most ransomware varieties and would stand to create new and virtually-unlimited additional avenues for further monetization of infected machines beyond the collection of a ransom payment. One ransomware variety that has already begun to incorporate this functionality into its behavior is the Troldesh encryption ransomware.

Troldesh ransom note

Troldesh ransom note

An example of this ransomware was recently analyzed and was found to also deliver a content management system (CMS) login brute-force malware in addition to its core ransomware payload. This malware is designed to force its way into content management systems like WordPress and Joomla by guessing the login credentials. This is valuable to threat actors as it allows them to compromise those websites for any number of reasons including the posting of new malware payloads to be downloaded in later campaigns. Beyond giving threat actors access to the compromised websites, this malware also pushes the responsibility for those compromises away from the threat actor, giving them some level of deniability and distance from the attacks. However, the victim, whose computer is now being used to launch brute-force attacks on websites, must still pay the demanded ransom to regain access to the files that have been encrypted by Troldesh.

However, Troldesh is a ransomware that has a relatively low profile among ransomware varieties—especially in terms of its impact on English-speaking populations. However, another example was identified more recently that indicates that this one-two punch technique is also being used in conjunction with the Locky encryption ransomware—a malware that has a far wider reach and is more well-known.

A set of emails was found to deliver the Locky encryption ransomware alongside the Kovter malware. This pairing is notable as it represents an interesting set of malware utilities delivered to victims. In this case, the Kovter trojan allows the threat actor to maintain access and potentially deliver other malware to machines while also monetizing the infection through click-fraud activities. The messages analyzed by PhishMe Intelligence claimed to deliver a notification regarding the status of a package shipped via FedEx. The JavaScript application attached to these emails was designed to facilitate the download of both a Locky encryption ransomware binary and the additional Kovter sample. This setup harnesses the most successful ransomware of 2016 to provide a short path to financial gains while also including the ability for the threat actor to perform reconnaissance and perhaps even maintain access to the infected environment for extended periods of time.

FedEx phishing email delivering Locky and Poweliks

FedEx phishing email delivering Locky and Kovter

 

However, repurposing a victim’s computer to carry out the activities highlighted in these examples are just two examples of what a threat actor could do if additional malware or capabilities are incorporated into ransomware samples. Two factors could make a scenario like this have a significant impact on an individual or company. First, if a threat actor can place a ransomware sample within an environment and then expand their reach using additional malware samples, the threat actor has created two avenues for victimizing that individual or organization. The ransomware is most obvious component of this scenario, but the additional malware sample could be used for a much longer and more damaging operation with implications reaching far beyond the ransomware incident. Secondly, since the expectation is that the ransomware sample is the only avenue for monetization and the only malware involved in most ransomware incidents, an individual or organization may not seek out the additional malware and instead address only the obvious threat instead of the quieter and more longitudinal threat.

The prospect of ransomware featuring additional capabilities or acting as malware downloaders is troubling. It greatly complicates the threat landscape and adds burdens to information security professionals tasked with protecting organizations from both ransomware and other malware utilities. The good news, however, is that many organizations are already aware and empowered to address both ransomware and non-ransomware malware threats. Phishing email has been the most prominent avenue for the delivery of both these categories of malware utility and is an arena where organizations can form holistic defense plans. Holistic phishing defense includes the education and empowerment of all email users to identify and report phishing emails before engaging with the malware they deliver. The information security professionals within those organizations can then utilize that internal intelligence from user reports along with external intelligence to best identify and respond to not just the obvious threats like ransomware, but also the quieter and less-obvious malware threats as well.

The full report on this Troldesh sample used to deliver additional malware payloads is available to PhishMe Intelligence users here. The list below includes a number of IOCs related to this analysis.

JavaScript email attachment:

7bce43f183ea15474f31544713c6edbc

Payload location:

phuketfreeday[.]com/resource/images/flags/oble5/par/systemdll[.]exe

Troldesh binary:

62b4d2fa7d3281486836385bd3f6cd02

Troldesh command and control host:

a4ad4ip2xzclh6fd[.]onion

Content Management System Brute-force bot executable:

7f2c0adb3ead048b6a4512b2495f5e43

Content Management System Brute-force bot command and control host:

x4ethdcumddzwbxc[.]onion

The Locky and Kovter samples are described in this Active Threat Report and related IOCs are listed below.

Locky encryption ransomware sample:

f3d935f9884cb0dc8c9f22b44129a356

Locky hardcoded C2 locations:

hxxp://176.103.56[.]119/message.php

hxxp://109.234.35[.]230/message.php

 Kovter sample:

0d01517ad68b4abacb2dce5b8a3bd1d0

Kovter command and control resource:

hxxp://185.117.72[.]90/upload.php

 

Curious to learn more about our ransomware findings? Check out our Q2 Malware Review where we identified key trends in malware and ransomware in the threat landscape.

Unscrupulous Locky Threat Actors Impersonate US Office of Personnel Management to Deliver Ransomware

Update 2016-11-11:

It is important to PhishMe to avoid hyperbolic conclusions whenever possible. In the interest of clarifying some conclusions that have been drawn from this blog post, it is important to keep in mind the nature of Locky distribution and how this malware is delivered to victims. We consider it a serious responsibility to report on very real threats in a way that lends itself to our credibility as well that the credibility of all information security professionals.

PhishMe has no reason to believe that this set of emails was delivered only to victims of the OPM incident nor to government employees as part of a spear phishing attack.

The email addresses associated with the OPM breach have not been actively circulated.  As such, it is incredibly unlikely that the threat actors have any detailed knowledge of who will be receiving these emails. Furthermore, PhishMe has not received any confirmation that anyone impacted by the OPM incident has received a copy of these emails. Many people who were not affected by the OPM incident and are not affiliated with the U.S. government also received copies of these messages and are also put at a very real risk by this ransomware.

***

A continuing truth about the Locky encryption ransomware is that its users will take advantage of any avenue that they believe will secure them a higher infection rate but still utilize predictable themes. This time, the threat actors have chosen to impersonate the US Office of Personnel Management in one of their latest attempts to infect people with this ransomware. As we have noted in previous reporting, Locky has set the tone for 2016 with its outstanding success as an encryption ransomware utility. As we approach the end of the year, this ransomware continues to be a fixture on the phishing threat landscape.

One key example of this malware’s phishing narratives is a set of emails analyzed by PhishMe Intelligence this morning that cite the purported detection of “suspicious movements” in the victim’s bank account that were detected by the US Office of Personnel Management.

opm-ransomware-nov-2016

Screenshot of phishing message impersonating OPM

The ZIP archives attached to these messages contains a hostile JavaScript application used to download and run a sample of the Locky encryption ransomware.

This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors. Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.

If either of these implications bear any truth, the Locky threat actors once again demonstrate their unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process. However, absent the reference to the Office of Personnel management, this set of emails would be just another set of phishing emails delivering Locky featuring strange word choice such as “suspicious movements” and “out account”.

These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.

Indicators of compromise related to this set of Locky emails are verbose—323 unique JavaScript application attachments were identified with the capability to download obfuscated Locky payloads from 78 distinct payload locations. These locations are listed below.

hxxp://cgrs168[.]com/xmej0mc

hxxp://acrilion[.]ru/84m9t

hxxp://geethikabedcollege[.]com/766epkuj

hxxp://thisnspeel[.]com/766epkuj

hxxp://thisnspeel[.]com/3ypojyl

hxxp://flurrbinh[.]net/7wi66hp

hxxp://vexerrais[.]net/6sbdh

hxxp://3-50-90[.]ru/u4y5t

hxxp://corinnenewton[.]ca/ctlt8b

hxxp://agorarestaurant[.]ro/cg06f

hxxp://abercrombiesales[.]com/nmuch

hxxp://flurrbinh[.]net/3nrgpb

hxxp://dmamart[.]com/c5l2p

hxxp://codanuscorp[.]com/ay5v52r

hxxp://cafedelrey[.]es/snby1c

hxxp://vexerrais[.]net/84fwijj

hxxp://dessde[.]com/zcwaya

hxxp://villaamericana[.]net/84fwijj

hxxp://ayurvedic[.]by/b9kk9k

hxxp://dowfrecap[.]net/3muv

hxxp://odinmanto[.]com/57evyr

hxxp://centinel[.]ca/wkr1j6n

hxxp://berrysbarber[.]com/q6qsnfpf

hxxp://antivirus[.]co[.]th/jukwebgk

hxxp://odinmanto[.]com/7gplz

hxxp://www[.]cutillas[.]fr/lmc80sdb

hxxp://365aiwu[.]net/hbdo

hxxp://comovan[.]t5[.]com[.]br/byev5nd

hxxp://alpermetalsanayi[.]com/vuvls

hxxp://bielpak[.]pl/a79a64h

hxxp://dowfrecap[.]net/7qd7rck

hxxp://babuandanji[.]jp/lq9kay

hxxp://pastelesallegro[.]mx/ex67ri

hxxp://archmod[.]com/sapma

hxxp://drkitchen[.]ca/y5jllxe

hxxp://earthboundpermaculture[.]org/okez95b

hxxp://eroger[.]be/918p2q

hxxp://avon2you[.]ru/ayz1waqm

hxxp://handsomegroup[.]com/ae2y1hr

hxxp://vexerrais[.]net/3nx3w

hxxp://cosmobalance[.]com/jsqlt0g

hxxp://assetcomputers[.]com[.]au/lkfpyww

hxxp://odinmanto[.]com/2rw

hxxp://dinglihn[.]com/zg3pnsj

hxxp://thisnspeel[.]com/2qrn06f

hxxp://adriandomini[.]com[.]ar/bq62dx

hxxp://inzt[.]net/lbrisge

hxxp://elektronstore[.]it/z298ejb

hxxp://donrigsby[.]com/nts0mk

hxxp://bjshicheng[.]com/blewwab

hxxp://ck[.]co[.]th/r2k6i

hxxp://abclala[.]com/r2kvg

hxxp://lashouli[.]com/rq4xoq

hxxp://flurrbinh[.]net/0nbir

hxxp://competc[.]ca/qrc9n

hxxp://dowfrecap[.]net/6f9tho

hxxp://chaturk[.]com/mxaxemv

hxxp://odinmanto[.]com/0cz2zwz

hxxp://dowfrecap[.]net/0d08tp

hxxp://dekoral[.]eu/twnyr1s

hxxp://chandrphen[.]com/h4b1k

hxxp://drmulchandani[.]com/d6ymtf

hxxp://edrian[.]com/dfc33k

hxxp://fibrotek[.]com/deoq

hxxp://vexerrais[.]net/1jk8n

hxxp://accenti[.]mx/nryojp

hxxp://cheedellahousing[.]com/h24ph

hxxp://elleart[.]nl/gn3pim

hxxp://edubit[.]eu/b6ye94wv

hxxp://bst[.]tw/gnjeebt

hxxp://85[.]92[.]144[.]157/y8giadzn

hxxp://thisnspeel[.]com/04u77s

hxxp://dunyam[.]ru/jge1b3e

hxxp://flurrbinh[.]net/6mz3c5q

hxxp://eldamennska[.]is/h4yim

hxxp://bepxep[.]com/mo05j

hxxp://dwcell[.]com/dph861ws

hxxp://apidesign[.]ca/ijau8q2z

However, only four hardcoded command and control hosts were found to be supporting this Locky instance. They are listed below.

hxxp://195.123.211[.]229/message[.]php

hxxp://188.65.211[.]181/message[.]php

hxxp://185.102.136[.]127/message[.]php

hxxp://185.67.0[.]102/message[.]php

Furthermore, a single payment site where the ransomware victim can pay the Bitcoin ransom in exchange for a purported decryption application was identified.

mwddgguaa5rj7b54[.]onion

 

The full PhishMe Intelligence report on this Locky analysis is available to PhishMe Intelligence clients here.

Never miss another phishing threat! Sign up for our complimentary Threat Alerts subscription service today.

Learn more about Locky and other ransomware threats at PhishMe’s Global Ransomware Resource Center.

Macro Based Anti-Analysis

Over the past several months PhishMe research has noticed an increase with Anti-Analysis techniques being included within Office macro and script files. This is the first post in a series where we look at the inclusion and effectiveness of these methods. Although the use of Anti-Analysis techniques is not new, they are generally observed within the packed payload in an effort to avoid detection by endpoint security solutions.

Most recently we came across a campaign of emails which included a malicious Microsoft Word document. The document contains a standard lure using an image instructing the user to enable active content as it was authored with a newer version of Microsoft Office.

figure 1

Once macros are enabled during analysis we generally see activity as the execution is triggered when the document is opened or an object is initialized and the script begins extracting or downloading a malicious payload, but we noticed with samples from this campaign that there was no activity when the macro was enabled.

Using oletools to quickly scan the document we see that the hook to trigger the macro code is using the Document_Close event instead of an event triggered using document open or object initialization. Running the sample in a sandbox further confirmed that dynamic analysis results were not available as the session timed out and the macro code was never executed.

figure 2

Visualizing the call-graph shows that the macro is composed of one main function and a de-obfuscation routine which allows us to quickly focus on the calls within the ijPql function. Analysis led us to find additional anti-analysis checks within the Macro before the payload was downloaded and executed.

figure 3

The macro first checks that the current username is not ‘USER’ and then checks that the RecentFiles count is > 3

figure 4

The macro then makes a HTTP GET request to https://www.maxmind.com/geoip/v2.1/city/me with the following custom headers:

  • Referer: ‘https://www.maxmind.com/en/locate-my-ip-address’
  • User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

A successful request returns a JSON object which includes a traits structure containing information about the ISP, Orgainization and ASN.

figure 5

The result is then checked if any of the following strings exist within the JSON string.

“AMAZON”, “ANONYMOUS”, “BITDEFENDER”, “BLUE COAT”, “CISCO SYSTEMS”, “CLOUD”, “DATA CENTER”, “DATACENTER”, “DATACENTRE”, “DEDICATED”, “ESET, SPOL”, “FIREEYE, “FORCEPOINT”, “FORTINET”, “HETZNER”, “HOSTED”, “HOSTING”, “LEASEWEB”, “MICROSOFT”, “NFORCE”, “OVH SAS”, “PROOFPOINT”, “SECURITY”,”SERVER”, “STRONG TECHNOLOGIES”, “TREND MICRO”, “TRUSTWAVE”, “NORTH AMERICA”, “BLACKOAKCOMPUTERS”, “MIMECAST”, “TRENDMICRO”

If any of the checks fail, the macro will exit and not download the configured payload.

Conclusion

We see another example of attackers migrating anti-analysis techniques that are traditionally seen included within a packed payload, up the stack into the initial infection script. The use of a finalization event (on_close) to trigger execution, demonstrates that attackers understand the default capabilities of sandboxes and are implementing techniques to bypass automated analysis. Additionally, the inclusion of network source checks focusing on security and hosting infrastructure further indicates awareness of cloud based services being leveraged by researchers and security companies.

Although the checks are easily bypassed by researchers and analysts because they are implemented in a scripting language. They have been observed to be effective in circumventing dynamic analysis in common sandbox deployments.

Document Samples  

  • 683154fa03f494bd368042b3546f7b04
  • 3bb6807d88a7ee359d7d813e01700001
  • 4c59ccbc0c524069e46ad8d92e65a14c