2017-11-01 - NECURS BOTNET MALSPAM CONTINUES PUSHING LOCKY
ASSOCIATED FILES:
- Zip archive of a traffic sample: 2017-11-01-Necurs-botnet-malspam-pushes-Locky.pcap.zip 582 kB (582198 bytes)
- Zip archive of the spreadsheet tracker: 2017-11-01-Necurs-Botnet-malspam-tracker.csv.zip 0.9 kB (923 bytes)
- Zip archive of the emails and artifacts: 2017-11-01-Necurs-Botnet-malspam-artifacts.zip 2.0 MB (1,974,440 bytes)
SOME PRIOR DOCUMENTATION:
- 2017-10-19 - SANS Internet Storm Center (ISC) - Necurs Botnet malspam pushes Locky using DDE attack
- 2017-10-24 - My Online Security - Another Locky ransomware fake Invoice malspam campaign using DDE "exploit"
- 2017-10-24 - My Online Security - Locky ransomware delivered via DDE exploit Scan Data malspam no-reply@victim domain
- 2017-10-24 - malware-traffic-analysis.net - Necurs Botnet malspam uses DDE attack to push Locky
- 2017-10-30 - malware-traffic-analysis.net - Necurs Botnet malspam uses DDE attack to push Locky
- 2017-10-31 - My Online Security - blank emails with fake invoice attachments deliver Locky ransomware via word docs with embedded OLE objects
- 2017-10-31 - malware-traffic-analysis.net - Necurs Botnet malspam stops using DDE, still uses Word docs to push Locky
NOTES:
- Necurs Botnet malspam using embedded objects (not DDE attack) for the 2nd day in a row.
- Like yesterday, the Word documents have embedded objects that call Powershell to retreive the 1st-stage malware.
Shown above: Current chain of events (no DDE, but embedded objects).
EMAILS
Shown above: Example of an email from this wave of malspam.
EMAIL HEADERS:
- Date: Wednesday 2017-11-01 as early as 10:29 UTC through at least 12:59 UTC
- Subject: Invoice
- Attachment names: [random digits]_Invoice.doc
EXAMPLES OF SENDING ADDRESSES (ALL SPOOFED):
- From: Brittney Bee <aBee@brownmail.worldonline.co.uk>
- From: Graham Littlefair <aLittlefair@pdlr.co.uk>
- From: Lester Makins <aMakins@dothat.uk>
- From: Misty Bates <aBates@hartleyromaniuk.co.uk>
- From: Pearlie Bossence <aBossence@acornresearch.co.uk>
Shown above: Word document from one of the emails with malicious embedded object).
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 72.249.127.194 port 80 - hilaryandsavio.com - GET /mnfTRw3
- 87.230.95.138 port 80 - toptrends.org - GET /ndgHSKFte4
- 87.230.95.138 port 80 - www.toptrends.org - GET /ndgHSKFte4
- ds.download.windowsupdate.com - POST /
- 45.77.67.197 port 80 - heckhegrijus.net - POST /
- 52.49.136.181 port 80 - kvonline.tactics.be - POST /HJGshd346zoc
OTHER HTTP REQUESTS GENERATED BY THE MALICIOUS WORD DOCUMENTS:
- cirad.or.id - GET /mnfTRw3
- givagarden.com - GET /mnfTRw3
- heart-sp.com - GET /mnfTRw3
- internet-webshops.de - GET /mnfTRw3
OTHER HTTP REQUESTS FOR THE 1ST-STAGE MALWARE:
- urea-art.ru - GET /ndgHSKFte4
- celebrityonline.cz - GET /ndgHSKFte4
- claridge-holdings.com - GET /ndgHSKFte4
- dotecnia.cl - GET /ndgHSKFte4
- transmercasa.com - GET /ndgHSKFte4
- envi-herzog.de - GET /ndgHSKFte4
TOR DOMAIN FOR LOCKY DECRYPTION:
- g46mbrrzpfszonuk.onion
FILE HASHES
WORD DOCUMENTS WITH EMBEDDED OBJECT:
- SHA256 hash: 03db0e3eb42ffca3d32778f38a881872190dc5686b3699b2893fbf06f8120d34 - 222849_Invoice.doc
- SHA256 hash: ca6152dfcb2c2a2aec09322ca19ac8e883792a75dec95f588883cc6e181b4f5e - 328731_Invoice.doc
- SHA256 hash: 9cf8e4808b26e996a6531c01a30ebd5bf7b32247393c19e952d60888d04ba0cd - 49545_Invoice.doc
- SHA256 hash: 899e5742602d14bf59be0ccabc94b6f51254964b64001d77540774486797def7 - 57588_Invoice.doc
- SHA256 hash: 016dbaece7e91bd36a439c279815bdc095e7a3a8df5eb83fdaf8d4bcdc93a9fb - 6409_Invoice.doc
MALWARE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: 8930bd4ab06a60d8b079d37fe029ff6039786988efd4cb0b4c5197d0b39d2a12
File size: 232,128 bytes
File location: C:\Users\[username]\AppData\Local\Temp\gnu64.exe
File location: C:\Users\[username]\AppData\Local\Temp\{3efee3d4-bc4f-ab17-4f3e-b1d4a9a108df}\w16E8508.exe
File description: Initial malware (generates callback traffic & downloads Locky)
Registry update: KHCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- SHA256 hash: 1b087b85b0f1c2b14dfa1b9c82004de598903a89a76af49ee4c4eed03bfefe24
File size: 585,728 bytes
File location: C:\Users\[username]\AppData\Local\Temp\E7SRXkYl.exe
File description: Locky ransomware (.asasin variant)
IMAGES
Shown above: Desktop from an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of a traffic sample: 2017-11-01-Necurs-botnet-malspam-pushes-Locky.pcap.zip 582 kB (582198 bytes)
- Zip archive of the spreadsheet tracker: 2017-11-01-Necurs-Botnet-malspam-tracker.csv.zip 0.9 kB (923 bytes)
- Zip archive of the emails and artifacts: 2017-11-01-Necurs-Botnet-malspam-artifacts.zip 2.0 MB (1,974,440 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.