A Song of Ice and Ransomware: Game of Thrones References in Locky Phishing

We rarely find out the identities of online attackers. As a result, it is often easy to picture attackers as impartial and emotionless devices instead of humans or groups of people. However, attackers often reveal small bits of information about themselves and their personalities in the tactics, techniques, and procedures they select.

Often depicted as nebulous and isolated from the world, the threat landscape does not develop and evolve in a vacuum. Global news, geopolitical happenings, and pop culture all influence the choices attackers make and how they express themselves in the qualitative elements of their attacks. The names given to variables, servers, and files used in attacks are just a small subset of the ways that online criminals express themselves and, in the process, reveal a little bit about their preferences and personalities.

A timely and contemporary example of attackers revealing popular culture’s influence on their work can be found in the Visual Basic scripting used to deliver the Locky ransomware analyzed for Threat ID 9820 . At first glance, this set of emails is just another iteration in the ongoing distribution of the highly successful Locky ransomware. However, examining the variable names used in the Visual Basic script delivered by these emails shows that the attackers selected a distinctive means for adding unpredictability to their ransomware delivery process.

Lightweight script applications designed to deliver malware often use rotating or pseudorandom variable names to ensure that the malware delivery tools look unique. In this case, many of the variables (some misspelled) referred to characters and events from the globally-popular television fantasy epic Game of Thrones.

Figure 1 – Variable names citing a “Throne” and “John Snow”[sic] demonstrates pop culture’s influence on attackers

Looking at this script offers some insight into what pop culture elements have influenced the threat actors. Like everyone else in modern society, they have interests and preferences, favorite music, movies, and television shows. The attackers allowed this to show through their selection of variable names.

Figure 2 – Highly-mutable variable naming allows for virtually endless permutations

The runtime for this script is indifferent to the variable names. The variable names could be anything, including completely random combinations of letters and numbers. However, the criminals responsible for this attack chose a distinctive theme for their variables, thereby revealing their interest in this pop culture phenomenon.

Phishing attacks are distinctive on the global threat landscape as an attack methodology that seeks to exploit the tendencies and behaviors of the people within an organization. It is only fitting that phishing threat actors would reveal their own tendencies and preferences as humans also. Holistic phishing defense begins by treating the email users as humans who serve the information security mission rather than act as an impediment to it. Humanizing the attacker serves as an important portion of assessing and triaging the risk and intent of that attacker during the response process. This process involves a realistic assessment of an organization’s strengths and weaknesses as well as the flow of timely and actionable intelligence on attacker behavior.

While tidbits such as these may not completely change the tide in favor of security professionals, they serve as encouragement to consider attackers as humans—flawed, and subject to their own preferences and tendencies. By humanizing attackers, network defenders can begin to deconstruct the tactics, techniques, and procedures they use and anticipate the ways those methodologies might evolve.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

The Phishing Kill Chain – Simulation Delivery
Tune Your Phishing Defense at Submerge 2017

Leave a Reply