2017-09-11 - BLANK SLATE MALSPAM CAMPAIGN PUSHES "LUKITUS" VARIANT LOCKY RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-09-11-Blank-Slate-Locky-ransomware-infection.pcap.zip 574.9 kB (574,934 bytes)
- 2017-09-11-Blank-Slate-Locky-ransomware-infection.pcap (704,156 bytes)
- 2017-09-11-Blank-Slate-Locky-ransomware-files.zip 614.1 kB (614,090 bytes)
- 231356.doc (76,272 bytes)
- Temp2991.exe (631,808 bytes)
SOME BACKGROUND:
- 2017-03-02 - Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- 2017-03-22 - Internet Storm Center (ISC): "Blank Slate" malspam still pushing Cerber ransomware.
- 2017-06-29 - ISC: Catching up with Blank Slate: a malspam campaign still going strong.
- 2017-07-31 - Bleeping Computer: Crypt GlobeImposter Ransomware Distributed via Blank Slate Malspam.
- 2017-08-02 - Malware-Traffic-Analysis.net: "Blank Slate" malspam pushing Gryphon ransomware (a BTCware variant).
TODAY'S NOTES:
- In recent weeks, I've noticed different ransomware pushed through "Blank Slate" malspam.
- In the past two to three weeks, I've only seen Word documents as the attachments for Blank Slate malspam.
- Of note, after victims enable macros on the Word documents, the follow-up malware isn't downloaded until after the victim closes the Word document.
- Today's Blank Slate malspam was pushing Locky ransomware.
EMAILS
Shown above: Screenshot from one of today's Blank Slate emails.
EMAILS NOTED:
- READ: Date/time -- Sending mailserver/host -- sending address (spoofed) -- attachment name
- 2017-09-10 19:31 UTC -- 123.24.181[.]80 -- ajarmstrong@fuse[.]net -- 40934113828.doc
- 2017-09-10 21:24 UTC -- 217.211.44[.]196 -- eason.l@telus[.]net -- 9770287828695.doc
- 2017-09-10 21:44 UTC -- 223.113.4[.]34 -- farooqsiddique@gmail[.]com -- 89046.doc
- 2017-09-10 21:55 UTC -- 210.211.99[.]203 -- sintak@shaw[.]ca -- 7022351118565.doc
- 2017-09-10 22:29 UTC -- 82.146.93[.]72 -- info@marupei[.]net -- 259254067723.doc
- 2017-09-11 00:07 UTC -- 220.162.134[.]145 -- drukkerij@kleen[.]nl -- 0092810502733.doc
- 2017-09-11 00:09 UTC -- 188.126.12[.]222 -- [removed].magni@np[.]ge[.]com -- 2712787926.doc
- 2017-09-11 05:56 UTC -- 14.177.236[.]72 -- poligon@uol[.]com[.]br -- 231356.doc
TRAFFIC
Shown above: Infection traffic filtered in Wireshark.
URLS FROM THE RECENT WORD MACROS TO DOWNLOAD LOCKY RANSOMWARE:
- hxxp[:]//1holejhaltf[.]top/admin.php?f=3
- hxxp[:]//2lookgosnc[.]top/admin.php?f=3
- hxxp[:]//dookmediola[.]top/admin.php?f=3
- hxxp[:]//funmomdeabx[.]top/admin.php?f=3
- hxxp[:]//hooledoojepa[.]top/admin.php?f=3
- hxxp[:]//westerasiao[.]top/admin.php?f=3
ASSOCIATED FILES
EMAIL ATTACHMENT:
- SHA256 hash: a4ffb89eff4a79534d30a6a694104efacdb2224a886b7510d1728d66622fc06a
File size: 76,272 bytes
File name: 231356.doc
FOLLOW-UP LOCKY RANSOMWARE:
- SHA256 hash: de02a87dde2408d9159a4af35200374aeb52e9dc43807b92f0235e7024709d5d
File size: 631,808 bytes
File location: C:\Users\[username]\AppData\Local\Temp2991.exe
IMAGES
Shown above: The attahed Word document.
Shown above: Malicious macro from the Word document is somewhat obfuscated.
Shown above: Removing the "DuE" string reveals the URLs to download follow-up malware (in this case, Locky ransomware).
Shown above: Desktop of an infected Windows host.
Shown above: The Locky decryptor showing 0.5 BTC as the ransom payment.
Click here to return to the main page.