In the context of a customer project, we examined a new variant of the Locky ransomware. As in the meantime stated by a law enforcement agency, this has been part of a large wave of attacks hitting various enterprises in the night from Tuesday (2016-07-26) to Wednesday.
As an initial attack vector, the attackers use emails with an attachment that probably even uses a 0day exploit, that enables the payload to be executed already when displayed in the MS Outlook preview.
The ransomware encrypts accessible documents and threatens victims to pay a ransom in order to be able decrypt the files. Further, the malware uses accessible network shares/drives for further spreading.
Further information is following in the next section.
It might help to create filtering rules based on the mentioned file names, hash values, URLs, and IP addresses that are named in the rest of this report.
1.1 Analysis of the Dropper
A customer provided a sample of an email message that has in a similar form been delivered to multiple recipients within the company. The email contained an attached file named statement[ANONYMIZED].rtf
The cryptographic hash values of this file are:
Although the file name extension suggests an RTF document, the document is actually in MS docx format. Both file types are usually associated with MS Word as default application for opening.
When opening the document, it displays an embedded image file in the internal path word/media/image1.jpeg that is meant to trick the user to enable macros.
The document indeed contains the following VBA macro:
VBA-Makro: CreateObject(XI(“M16Byh”, “7C65111A1A2441420116063943592E573B2E435F320D2B225F42301604”, 6, 29))
According to an unverified statement of a law enforcement agency, the document also facilitates a zero-day exploit, which triggers the payload already when viewed in the MS Outlook preview.
The payload downloads a MS Windows PE binary file named c1.exe from the following URL:
The domain indatronic.es during our analysis resolved to the IP address 220.127.116.11
The binary file is then saved under the following path:
1.2 Analysis of Malware Binary
We calculated the following cryptographic hash values of the downloaded binary file 36086.exe:
After being executed, the malware binary 36086.exe showed the following behavior during our analysis:
- Terminates Windows Firewall
net stop MpsSvc, C:\Windows\system32\net1 stop MpsSvc
- Disables automatic start of Windows Firewall Service
sc config MpsSvc start= disabled
- Opens up MS Internet Explorer
“C:\Program Files (x86)\Internet Explorer\iexplore.exe” -nohome
- Deletes all volume shadow copies (Local Windows System Backups, System Restore Points)
vssadmin.exe delete shadows /all /quiet
- Initiates TCP communication with another Host with the IP address 18.104.22.168
- The encryption of user documents could not be observed in the controlled environment, but in the customer context, documents of multiple file types have been encrypted.
- The attackers want the victims to pay a ransom in order to decrypt those files.
1.3 Spreading of the malware
Our customer observed spreading behavior of the malware in order to infect other hosts by placing a binary file on network shares that are accessible on infected machines under the following file name in the root directory of the share. The actual IDs contained in the file name have been anonymized.
Further, all folders on the share are renamed to a random name and a LNK-file with the original name of each folder is created, that first executes the binary file and then opens the corresponding renamed folder.
1.4 Indicators and Countermeasures
The malware identifies in various AV signatures as:
The Outlook Preview function can be disabled under
Outlook Options -> Trust Center -> Trust Center Options -> Attachment Handling
There, check “Do not Preview Attachments”.
The same can be achieved via GPO by setting the following registry key:
In general, you may want to reconsider whether the preview feature is required at all — it would certainly remove significant attack surface from your mail clients.
Please reach out to us if you have further questions, or you are interested in our Incident Response/Forensic Computing training at Troopers17.