2017-11-01 - NECURS BOTNET MALSPAM CONTINUES PUSHING LOCKY

ASSOCIATED FILES:

• Zip archive of a traffic sample:  2017-11-01-Necurs-botnet-malspam-pushes-Locky.pcap.zip   582 kB (582198 bytes)
• Zip archive of the spreadsheet tracker:  2017-11-01-Necurs-Botnet-malspam-tracker.csv.zip   0.9 kB (923 bytes)
• Zip archive of the emails and artifacts:  2017-11-01-Necurs-Botnet-malspam-artifacts.zip   2.0 MB (1,974,440 bytes)

 

SOME PRIOR DOCUMENTATION:

• 2017-10-19 - SANS Internet Storm Center (ISC) - Necurs Botnet malspam pushes Locky using DDE attack
• 2017-10-24 - My Online Security - Another Locky ransomware fake Invoice malspam campaign using DDE "exploit"
• 2017-10-24 - My Online Security - Locky ransomware delivered via DDE exploit Scan Data malspam no-reply@victim domain
• 2017-10-24 - malware-traffic-analysis.net - Necurs Botnet malspam uses DDE attack to push Locky
• 2017-10-30 - malware-traffic-analysis.net - Necurs Botnet malspam uses DDE attack to push Locky
• 2017-10-31 - My Online Security - blank emails with fake invoice attachments deliver Locky ransomware via word docs with embedded OLE objects
• 2017-10-31 - malware-traffic-analysis.net - Necurs Botnet malspam stops using DDE, still uses Word docs to push Locky

 

NOTES:

• Necurs Botnet malspam using embedded objects (not DDE attack) for the 2nd day in a row.
• Like yesterday, the Word documents have embedded objects that call Powershell to retreive the 1st-stage malware.

Shown above:  Current chain of events (no DDE, but embedded objects).

 

EMAILS

Shown above:  Example of an email from this wave of malspam.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-11-01 as early as 10:29 UTC through at least 12:59 UTC
• Subject:  Invoice
• Attachment names:  [random digits]_Invoice.doc

 

EXAMPLES OF SENDING ADDRESSES (ALL SPOOFED):

• From: Brittney Bee <aBee@brownmail.worldonline.co.uk>
• From: Graham Littlefair <aLittlefair@pdlr.co.uk>
• From: Lester Makins <aMakins@dothat.uk>
• From: Misty Bates <aBates@hartleyromaniuk.co.uk>
• From: Pearlie Bossence <aBossence@acornresearch.co.uk>

 

Shown above:  Word document from one of the emails with malicious embedded object).

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 72.249.127.194 port 80 - hilaryandsavio.com - GET /mnfTRw3
• 87.230.95.138 port 80 - toptrends.org - GET /ndgHSKFte4
• 87.230.95.138 port 80 - www.toptrends.org - GET /ndgHSKFte4
• ds.download.windowsupdate.com - POST /
• 45.77.67.197 port 80 - heckhegrijus.net - POST /
• 52.49.136.181 port 80 - kvonline.tactics.be - POST /HJGshd346zoc

 

OTHER HTTP REQUESTS GENERATED BY THE MALICIOUS WORD DOCUMENTS:

• cirad.or.id - GET /mnfTRw3
• givagarden.com - GET /mnfTRw3
• heart-sp.com - GET /mnfTRw3
• internet-webshops.de - GET /mnfTRw3

 

OTHER HTTP REQUESTS FOR THE 1ST-STAGE MALWARE:

• urea-art.ru - GET /ndgHSKFte4
• celebrityonline.cz - GET /ndgHSKFte4
• claridge-holdings.com - GET /ndgHSKFte4
• dotecnia.cl - GET /ndgHSKFte4
• transmercasa.com - GET /ndgHSKFte4
• envi-herzog.de - GET /ndgHSKFte4

 

TOR DOMAIN FOR LOCKY DECRYPTION:

• g46mbrrzpfszonuk.onion

 

FILE HASHES

WORD DOCUMENTS WITH EMBEDDED OBJECT:

• SHA256 hash:  03db0e3eb42ffca3d32778f38a881872190dc5686b3699b2893fbf06f8120d34   -   222849_Invoice.doc
• SHA256 hash:  ca6152dfcb2c2a2aec09322ca19ac8e883792a75dec95f588883cc6e181b4f5e   -   328731_Invoice.doc
• SHA256 hash:  9cf8e4808b26e996a6531c01a30ebd5bf7b32247393c19e952d60888d04ba0cd   -   49545_Invoice.doc
• SHA256 hash:  899e5742602d14bf59be0ccabc94b6f51254964b64001d77540774486797def7   -   57588_Invoice.doc
• SHA256 hash:  016dbaece7e91bd36a439c279815bdc095e7a3a8df5eb83fdaf8d4bcdc93a9fb   -   6409_Invoice.doc

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  8930bd4ab06a60d8b079d37fe029ff6039786988efd4cb0b4c5197d0b39d2a12
  File size:  232,128 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\gnu64.exe
  File location:  C:\Users\[username]\AppData\Local\Temp\{3efee3d4-bc4f-ab17-4f3e-b1d4a9a108df}\w16E8508.exe
  File description:  Initial malware (generates callback traffic & downloads Locky)
Registry update:  KHCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• SHA256 hash:  1b087b85b0f1c2b14dfa1b9c82004de598903a89a76af49ee4c4eed03bfefe24
  File size:  585,728 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\E7SRXkYl.exe
  File description:  Locky ransomware (.asasin variant)

 

IMAGES

Shown above:  Desktop from an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of a traffic sample:  2017-11-01-Necurs-botnet-malspam-pushes-Locky.pcap.zip   582 kB (582198 bytes)
• Zip archive of the spreadsheet tracker:  2017-11-01-Necurs-Botnet-malspam-tracker.csv.zip   0.9 kB (923 bytes)
• Zip archive of the emails and artifacts:  2017-11-01-Necurs-Botnet-malspam-artifacts.zip   2.0 MB (1,974,440 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.