Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]
Locky is a ransomware released in 2016, which became very active in early 2017, died for a bit and came back from the dead towards the end of August 2017. And came with a bang, according to ZDNET the return was announced in style by sending as many as 23 million malspam over a period of 24 hours. Thats almost 1 million mails per hours.
The new campaign was discovered by researchers at AppRiver who say it represents “one of the largest malware campaigns seen in the latter half of 2017”. Millions of emails were sent with subjects such as ‘please print’, ‘documents’ and ‘scans’ in an effort to spread Locky ransomware.
The malware payload was hidden in a ZIP file containing a Visual Basic Script (VBS) file, which if clicked, goes to download the latest version of Locky ransomware — the recently spotted Lukitus variant — and encrypts all the files on the infected computer.
At Mjolnir Security, we have been keeping an eye on Locky as well. Over the last week, we went through all the locky samples and IOCs we had for a customer and we found some concerning things.
Take a look at our correlation graph below:
We found certain domains like technigrafite[.]com, ericweb[.]co[.]za, shopshops[.]de, cutwell[.]ca, schoensigns[.]com, pciholog[.]ru and scouting-bvb[.]nl and the IPs they are hosted on are in use for the past month for distributing locky.
Generally, IPs , domains etc are considered low level indicators of compromise as they are easy to find, easy to block and easily taken down. In this particular case, they continue to be up which means the relevant authorities haven’t taken them down. This allows the Threat Actors behind Locky to continue using infrastructure already in place which could have been an easy fix.
WHOIS lookup shows:
| Domain Name | Registrar | Date Created | Date Expires | Owner Name | Owner Address | Owner Email | Owner Phone | Nameserver |
|---|---|---|---|---|---|---|---|---|
| technigrafite.com | Available | – | – | – | – | – | – | – |
| ericweb.co.za | UniForum Association | null | false | null | hostmaster@telkomsa.net ; | +27.8005002 ; ; | ns1.telkomsa.net ; ns2.telkomsa.net ; | |
| shopshops.de | DENIC eG | null | % | null | null | ; hostmaster@strato.de | ; +49 30886150; | docks20.rzone.de ; shades19.rzone.de ; |
| cutwell.ca | CIRA | 2009-02-18 | 2018-02-18 | null | null | ; | dns1.name-services.com ; dns2.name-services.com ; dns3.name-services.com ; dns4.name-services.com ; dns5.name-services.com ; | |
| schoensigns.com | GoDaddy.com, LLC | 2008-10-29 | 2018-10-29 | null | null | ; | ns.hostingsrvr.com ; ns1.hostingsrvr.com ; ns2.hostingsrvr.com ; | |
| pciholog.ru | RUCENTER-REG-RIPN | 2006-12-28 | 2017-12-28 | null | null | ; | ns1.rusonyx.ru ; ns2.rusonyx.ru ; | |
| scouting-bvb.nl | Stichting Internet Domeinregistratie NL | null | 5611NA EIND | null | null | ; | ns1.webreus.nl ; ns3.webreus.nl ; |
technigrafite is currently available, can this be something malware authors plan to register in the future?
Three are 7-11 years old and are legitimate sites which were hacked to serve locky and have not yet been cleaned.
We tried to reach out to owners of the websites but couldn’t find useful information.
We highly recommend you blocking these domains in your firewalls. Mjolnir Security customers are automatically protected using our Patent pending technology. If you are concerned you dont have adequate protection, get in touch with us now. And if you are just looking for IOC’s, here’s some:
| category | type | value | comment |
| Network activity | hostname | cutwell.ca | |
| Network activity | url | http://cutwell.ca/8etyfh3ni | |
| Artifacts dropped | md5 | 3ba59430e3a75cf5c6ec1b7fcc5dfe33 | |
| Network activity | ip-dst | 98.124.251.68 | cutwell.ca |
| Network activity | url | http://ericweb.co.za/8etyfh3ni | |
| Network activity | hostname | ericweb.co.za | |
| Network activity | url | http://pciholog.ru/8etyfh3ni | |
| Network activity | ip-dst | 196.25.211.127 | ericweb.co.za |
| Network activity | hostname | pciholog.ru | |
| Network activity | url | http://schoensigns.com/8etyfh3ni | |
| Network activity | hostname | schoensigns.com | |
| Network activity | ip-dst | 89.253.235.118 | pciholog.ru |
| Network activity | ip-dst | 184.168.126.30 | schoensigns.com |
| Network activity | url | http://scouting-bvb.nl/8etyfh3ni | |
| Network activity | hostname | scouting-bvb.nl | |
| Network activity | ip-dst | 62.75.132.67 | shopsshops.de |
| Network activity | url | http://shopsshops.de/8etyfh3ni | |
| Network activity | hostname | shopsshops.de | |
| Network activity | ip-dst | 46.235.44.76 | scouting-bvb.nl |
| Network activity | ip-dst | 98.124.251.75 | smarterbaby.com |
| Network activity | url | http://spazioireos.it/8etyfh3ni | |
| Network activity | url | http://smarterbaby.com/8etyfh3ni | |
| Network activity | hostname | smarterbaby.com | |
| Network activity | ip-dst | 81.29.205.233 | spazioireos.it |
| Network activity | hostname | spazioireos.it | |
| Network activity | url | http://tailer.it/8etyfh3ni | |
| Network activity | ip-dst | 89.96.90.14 | tailer.it |
| Network activity | hostname | tarimsalteknoloji.com | |
| Network activity | url | http://tarimsalteknoloji.com/8etyfh3ni | |
| Network activity | hostname | tailer.it | |
| Network activity | url | http://tecnigrafite.com/8etyfh3ni | |
| Network activity | hostname | tecnigrafite.com | |
| Network activity | ip-dst | 185.150.128.21 | tarimsalteknoloji.com |
| Network activity | ip-dst | 46.235.43.11 | turfschiploge.nl |
| Network activity | url | http://turfschiploge.nl/8etyfh3ni | |
| Network activity | hostname | turfschiploge.nl | |
| Network activity | url | http://derainlay.info/p66/8etyfh3ni | |
| Network activity | hostname | derainlay.info |
Overview Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes ...
This is a live tracker depicting Emotet and Trickbot beaconing as we track it in real time using our sensors around the world.