2017-09-11 - BLANK SLATE MALSPAM PUSHES "LUKITUS" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-09-11-Blank-Slate-malspam-traffic.pcap.zip   575 kB (574,912 bytes)

• 2017-09-11-Blank-Slate-malspam-traffic.pcap   (704,156 bytes)

• Zip archive of the malware:  2017-09-11-Blank-Slate-malware.zip   614 kB (613,686 bytes)

• 231356.doc   (76,272 bytes)
• Temp2991.exe   (631,808 bytes)

SOME BACKGROUND:

• 2017-03-02 - Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• 2017-03-22 - Internet Storm Center (ISC):  "Blank Slate" malspam still pushing Cerber ransomware.
• 2017-06-29 - ISC:  Catching up with Blank Slate: a malspam campaign still going strong.
• 2017-07-31 - Bleeping Computer:  Crypt GlobeImposter Ransomware Distributed via Blank Slate Malspam.
• 2017-08-02 - Malware-Traffic-Analysis.net:  "Blank Slate" malspam pushing Gryphon ransomware (a BTCware variant).

TODAY'S NOTES:

• In recent weeks, I've noticed different ransomware pushed by Blank Slate malspam.
• In the past two to three weeks, I've only seen Word documents as the attachments for Blank Slate malspam..
• Of note, after victims enable macros on the Word documents, the follow-up malware isn't downloaded until after the victim closes the Word document.
• Today's Blank Slate malspam was pushing Locky ransomware.

 

EMAILS

Shown above:  Screenshot from one of today's Blank Slate emails.

 

EMAILS NOTED:

• READ: Date/time -- Sending mailserver/host -- sending address (spoofed) -- attachment name

• 2017-09-10 19:31 UTC -- 123.24.181.80 -- ajarmstrong@fuse.net -- 40934113828.doc
• 2017-09-10 21:24 UTC -- 217.211.44.196 -- eason.l@telus.net -- 9770287828695.doc
• 2017-09-10 21:44 UTC -- 223.113.4.34 -- farooqsiddique@gmail.com -- 89046.doc
• 2017-09-10 21:55 UTC -- 210.211.99.203 -- sintak@shaw.ca -- 7022351118565.doc
• 2017-09-10 22:29 UTC -- 82.146.93.72 -- info@marupei.net -- 259254067723.doc
• 2017-09-11 00:07 UTC -- 220.162.134.145 -- drukkerij@kleen.nl -- 0092810502733.doc
• 2017-09-11 00:09 UTC -- 188.126.12.222 -- [removed].magni@np.ge.com -- 2712787926.doc
• 2017-09-11 05:56 UTC -- 14.177.236.72 -- poligon@uol.com.br -- 231356.doc

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

URLS FROM THE RECENT WORD MACROS TO DOWNLOAD LOCKY:

• hxxp://1holejhaltf.top/admin.php?f=3
• hxxp://2lookgosnc.top/admin.php?f=3
• hxxp://dookmediola.top/admin.php?f=3
• hxxp://funmomdeabx.top/admin.php?f=3
• hxxp://hooledoojepa.top/admin.php?f=3
• hxxp://westerasiao.top/admin.php?f=3

 

ASSOCIATED FILES

EMAIL ATTACHMENT:

• SHA256 hash:  a4ffb89eff4a79534d30a6a694104efacdb2224a886b7510d1728d66622fc06a
  File size:  76,272 bytes
  File name:  231356.doc

FOLLOW-UP LOCKY RANSOMWARE:

• SHA256 hash:  de02a87dde2408d9159a4af35200374aeb52e9dc43807b92f0235e7024709d5d
  File size:  631,808 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp2991.exe

 

IMAGES

Shown above:  The attahed Word document.

 

Shown above:  Malicious macro from the Word document is somewhat obfuscated.

 

Shown above:  Removing the "DuE" string reveals the URLs to download follow-up malware (in this case, Locky).

 

Shown above:  Desktop of an infected Windows host.

 

Shown above:  The Locky decryptor showing 0.5 BTC as the ransom payment.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-09-11-Blank-Slate-malspam-traffic.pcap.zip   575 kB (574,912 bytes)
• Zip archive of the malware:  2017-09-11-Blank-Slate-malware.zip   614 kB (613,686 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.