2017-09-11 - BLANK SLATE MALSPAM CAMPAIGN PUSHES "LUKITUS" VARIANT LOCKY RANSOMWARE

NOTICE:

ASSOCIATED FILES:

  • 2017-09-11-Blank-Slate-Locky-ransomware-infection.pcap   (704,156 bytes)
  • 231356.doc   (76,272 bytes)
  • Temp2991.exe   (631,808 bytes)

SOME BACKGROUND:

TODAY'S NOTES:

 

EMAILS


Shown above:  Screenshot from one of today's Blank Slate emails.

 

EMAILS NOTED:

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

URLS FROM THE RECENT WORD MACROS TO DOWNLOAD LOCKY RANSOMWARE:

 

ASSOCIATED FILES

EMAIL ATTACHMENT:

FOLLOW-UP LOCKY RANSOMWARE:

 

IMAGES


Shown above:  The attahed Word document.

 


Shown above:  Malicious macro from the Word document is somewhat obfuscated.

 


Shown above:  Removing the "DuE" string reveals the URLs to download follow-up malware (in this case, Locky ransomware).

 


Shown above:  Desktop of an infected Windows host.

 


Shown above:  The Locky decryptor showing 0.5 BTC as the ransom payment.

 

Click here to return to the main page.