2017-10-30 – Necurs Botnet malspam uses DDE attack to push Locky

Security News ThreatsCybercrime Uncategorized

2017-10-30 – NECURS BOTNET MALSPAM USES DDE ATTACK TO PUSH LOCKY

ASSOCIATED FILES:

  • Zip archive of a traffic sample:    802 kB (801,911 bytes)
  • Zip archive of the spreadsheet tracker:    0.8 kB (826 bytes)
  • Zip archive of the emails and artifacts:    855 kB (854,984 bytes)

SOME PRIOR DOCUMENTATION:

  • 2017-10-19 – SANS Internet Storm Center (ISC) –
  • 2017-10-24 – My Online Security –
  • 2017-10-24 – My Online Security –
  • 2017-10-24 – malware-traffic-analysis.net –

NOTES:

  • Thanks to who notified me about today’s Necurs Botnet malspam ().
  • I was able to grab 4 emails from this malspam that were submitted to Virus Total.


Shown above:  Same chain of events as we’ve been seeing.

EMAILS


Shown above:  Example of an email from this wave of malspam.

EMAIL HEADERS:

  • Date:  Monday 2017-10-30
  • Sending email address (spoofed):  [email protected]
  • Subject:  Scanned document from HP ePrint user
  • Attachment names:  filename-[1 or 2 digits].doc   or   new document-[1 or 2 digits].doc   or   untitled-[1 or 2 digits].doc

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

ASSOCIATED DOMAINS AND URLS:

  • 111.68.20.150 port 80 – heart-sp.com – GET /kjhuAT61       returned base64 string
  • 195.96.193.23 port 80 – epcb.it – GET /niueyft38                 returned 404 not found
  • 213.202.100.90 port 80 – dvprojekt.hr – GET /niueyft38     returned file downloader
  • ds.download.windowsupdate.com – POST /                     file downloader connectivity check
  • 45.77.67.197 port 80 – toundlefa.net – POST /                    file downloader post-infection check-in
  • 89.253.235.118 port 80 – pciholog.ru – POST /jhfry3766    returned Locky binary, encoded or otherwise encrypted

OTHER URLS FROM THE WORD DOCUMENTS:

  • hotelruota.it – GET /kjhuAT61
  • hilaryandsavio.com – GET /kjhuAT61
  • internet-webshops.de – GET /kjhuAT61

OTHER URLS TO RETRIEVE THE FILE DOWNLOADER:

  • fuettern24.de – GET /niueyft38
  • h1854684.stratoserver.net – GET /niueyft38
  • hobbystube.net – GET /niueyft38

TOR DOMAIN USED FOR LOCKY DECRYPTION:

  • g46mbrrzpfszonuk.onion

FILE HASHES

WORD DOCUMENTS USING DDE ATTACK:

  • SHA256 hash:    –   16,990 bytes   –   filename-68.doc
  • SHA256 hash:    –   16,997 bytes   –   untitled-24.doc
  • SHA256 hash:    –   16,995 bytes   –   untitled-4.doc
  • SHA256 hash:    –   16,996 bytes   –   untitled-8.doc

MALWARE RETRIEVED FROM THE INFECTED HOST:

  • SHA256 hash: 
    File size:  248,512 bytes
    File location:  C:\Users\[username]\AppData\Local\Temp\hti4.exesh
    File location:  C:\Users\[username]\AppData\Local\Temp\{68c5f030-bc1a-1282-1725-8eec14b32716}\9rD40BWa.exe
    File description:  Initial malware (generates callback traffic & downloads Locky)

Registry update:  KHCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • SHA256 hash: 
    File size:  659,968 bytes
    File location:  C:\Users\[username]\AppData\Local\Temp\E5IxznC0.exe
    File description:  Locky ransomware (.asasin variant)

IMAGES


Shown above:  Popup notification seen from Word document using DDE attack (1 of 3).


Shown above:  Popup notification seen from Word document using DDE attack (2 of 3).


Shown above:  Popup notification seen from Word document using DDE attack (3 of 3).


Shown above:  Desktop from an infected Windows host.


Shown above:  Ransom payment was .25 bitcoin.


Shown above:  Registry update to keep the initial malware persistent on the infected Windows host..

FINAL NOTES

Once again, here are the associated files:

  • Zip archive of a traffic sample:    802 kB (801,911 bytes)
  • Zip archive of the spreadsheet tracker:    0.8 kB (826 bytes)
  • Zip archive of the emails and artifacts:    855 kB (854,984 bytes)

Zip archives are password-protected with the standard password.  If you don’t know it, look at the “about” page of this website.

to return to the main page.

http://www.malware-traffic-analysis.net/2017/10/30/index.html

Tagged