2017-09-15 - BLANK SLATE CAMPAIGN PUSHES LOCKY RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-09-15-Blank-Slate-campaign-pushes-Locky-ransomware-4-pcaps.zip   2.2 MB (2,159,739 bytes)
• 2017-09-15-Blank-Slate-malspam-tracker.csv.zip   1.0 kB (1,012 bytes)
• 2017-09-15-Blank-Slate-emails-and-Locky-ransomware-files.zip   2.6 MB (2,623,805 bytes)

SOME BACKGROUND:

• 2017-03-02 - Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• 2017-03-22 - Internet Storm Center (ISC):  "Blank Slate" malspam still pushing Cerber ransomware.
• 2017-06-29 - ISC:  Catching up with Blank Slate: a malspam campaign still going strong.
• 2017-07-31 - Bleeping Computer:  Crypt GlobeImposter Ransomware Distributed via Blank Slate Malspam.
• 2017-08-02 - Malware-Traffic-Analysis.net:  "Blank Slate" malspam pushing Gryphon ransomware (a BTCware variant).

TODAY'S NOTES:

• Others have seen emails from the Blank Slate campaign today.  See (this Twitter thread for more info).
• Today's Blank Slate now has one line of message text that reads:  Dear [recipient's email address]
• Blank Slate is still pushing "Lukitus" variant Locky ransomware, just like earlier this week.
• And as usual for these Word documents, once I enabled macros, they only infected my lab hosts after I closed the documents.

 

EMAILS

Shown above:  Screenshot from the spreadsheet tacker.

 

Shown above:  Screen shot from one of the emails.

 

EMAILS COLLECTED:

• 2017-09-15 02:19:48 UTC   --   From (spoofed): sun@mail.hartford[.]edu   --   Attachment name: 3863452352.doc
• 2017-09-15 09:05:59 UTC   --   From (spoofed): x9azfcyjd@163[.]com   --   Attachment name: 60205449.doc
• 2017-09-15 11:28:36 UTC   --   From (spoofed): noreply@tjub[.]com   --   Attachment name: 496642747786061.doc
• 2017-09-15 12:22:06 UTC   --   From (spoofed): lausanne.elsa@gmail[.]com   --   Attachment name: email_3258209741_[recipient's name].doc
• 2017-09-15 12:28:11 UTC   --   From (spoofed): evamiksova@email[.]cz   --   Attachment name: email_3677536606_[recipient's name].doc
• 2017-09-15 12:29:08 UTC   --   From (spoofed): corsi-niki@libero[.]it   --   Attachment name: email_3765354191_[recipient's name].doc
• 2017-09-15 13:20:42 UTC   --   From (spoofed): mik@hartford[.]edu   --   Attachment name: email_004568_[recipient's name].doc
• 2017-09-15 13:31:10 UTC   --   From (spoofed): rene.meijer@van-buuren[.]com   --   Attachment name: email_80610502038_[recipient's name].doc
• 2017-09-15 14:53:22 UTC   --   From (spoofed): info@blumengardens[.]com   --   Attachment name: email_8568903492127_[recipient's name].doc
• 2017-09-15 15:48:23 UTC   --   From (spoofed): amster158@earthlink[.]net   --   Attachment name: email_793174347765409_[recipient's name].doc

 

TRAFFIC

Shown above:  Example of the infection traffic filtered in Wireshark.

 

URLS FROM THE WORD MACROS TO DOWNLOAD FOLLOW-UP MALWARE (LOCKY RANSOMWARE):

• hxxp[:]//ekolapsm[.]top/admin.php?f=1
• hxxp[:]//rockjonadd[.]top/admin.php?f=1
• hxxp[:]//longvanceramics[.]com[.]vn/image/flags/.../1
• hxxp[:]//tsivn[.]com[.]vn/system/logs/.../1

POST-INFECTION IP ADDRESSES (SAW ATTEMPTED TCP CONNECTIONS BUT NO HTTP TRAFFIC):

• 91.203.5[.]162
• 149.154.68[.]190

USUAL TOR DOMAIN FOR THE LOCKY DECRYPTOR:

• g46mbrrzpfszonuk[.]onion

 

ASSOCIATED FILES

Shown above:  Example of an attachment from one of the emails.

 

ATTACHED WORD DOCUMENTS:

• 2fa25ea384f8efde34dbe3cdee16c6fdfbd62ce55961df284d091f997081dce3 - 60205449.doc
• 5b964c0a583a01250f25e1e09e46e6ac7befe68ddf92a3ffd4ab268880c41dc8 - 496642747786061.doc
• 6242181dd9b4f06513e9b8f02ba4bae8cb4191c2a9d14e37b21f51262eca647c - email_004568_[recipient_name].doc
• 3547d4ac076df971793aefb96725707a2210ef4865d78071f673cffdb91c3e53 - email_3258209741_[recipient_name].doc
• d0f4d65d71f46638cb4b303c8d7a8df9a91fecbea0b1b11ff5795333f8391868 - email_3677536606_[recipient_name].doc
• 1a3c2718dadea11348ea5261537283c04bafec8edf7731019e207fe067540aee - email_3765354191_[recipient_name].doc
• b4f4348646d549f9ad8fb27d7e353754cf7a66aa455dd71f0cf16479bb5117c7 - email_80610502038_[recipient_name].doc
• 3acb44fc695152116307bf0bb7f993bcda70b4c356f8b65d0c2f022724319d91 - email_8568903492127_[recipient_name].doc
• de667ee7ed36a884e45d575e1dd9cc98031d1989be6821fae88bb1e59b267a50 - email_793174347765409_[recipient_name].doc

 

FOLLOW-UP MALWARE (LOCKY RANSOMWARE):

• SHA256 hash:  0899e1d9edfde06e1d21969909a0c06599913fdfc3e45e70548f4935e8cd443b
  File size:  649,216 bytes
  File description:  Locky binary from ekolapsm.top or rockjonadd.top

• SHA256 hash:  a22f3b70bef87484d70aaf5f2952dc7cf92aa4bbd55ad90d81989ada54f33279
  File size:  676,352 bytes
  File description:  Locky ransomware binary from longvanceramics[.]com[.]vn or tsivn[.]com[.]vn

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Shown above:  The Locky decryptor showing today's ransom cost.

 

Click here to return to the main page.