Top Categories

Spotlight

todayMarch 28, 2020

Case Study Mjolnir Security

Attack Type – Exploitation of novel / 0-day vulnerability

Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]

Top Voted
Sorry, there is nothing for the moment.

The return of Locky Ransomware

News + Malware Mjolnir Security todayOctober 10, 2017

Background
share close

Locky is a ransomware released in 2016, which became very active in early 2017, died for a bit and came back from the dead towards the end of August 2017. And came with a bang, according to ZDNET the return was announced in style by sending as many as 23 million malspam over a period of 24 hours. Thats almost 1 million mails per hours.

The new campaign was discovered by researchers at AppRiver who say it represents “one of the largest malware campaigns seen in the latter half of 2017”. Millions of emails were sent with subjects such as ‘please print’, ‘documents’ and ‘scans’ in an effort to spread Locky ransomware.

The malware payload was hidden in a ZIP file containing a Visual Basic Script (VBS) file, which if clicked, goes to download the latest version of Locky ransomware — the recently spotted Lukitus variant — and encrypts all the files on the infected computer.

At Mjolnir Security, we have been keeping an eye on Locky as well. Over the last week, we went through all the locky samples and IOCs we had for a customer and we found some concerning things.

Take a look at our correlation graph below:

locky-analysis by Mjolnir Security

We found certain domains like technigrafite[.]com, ericweb[.]co[.]za, shopshops[.]de, cutwell[.]ca, schoensigns[.]com, pciholog[.]ru and scouting-bvb[.]nl and the IPs they are hosted on are in use for the past month for distributing locky.

Generally, IPs , domains etc are considered low level indicators of compromise as they are easy to find, easy to block and easily taken down. In this particular case, they continue to be up which means the relevant authorities haven’t taken them down. This allows the Threat Actors behind Locky to continue using infrastructure already in place which could have been an easy fix.

WHOIS lookup shows:

Domain Name Registrar Date Created Date Expires Owner Name Owner Address Owner Email Owner Phone Nameserver
technigrafite.com Available
ericweb.co.za UniForum Association null false null hostmaster@telkomsa.net ; +27.8005002 ; ; ns1.telkomsa.net ; ns2.telkomsa.net ;
shopshops.de DENIC eG null % null null ; hostmaster@strato.de ; +49 30886150; docks20.rzone.de ; shades19.rzone.de ;
cutwell.ca CIRA 2009-02-18 2018-02-18 null null ; dns1.name-services.com ; dns2.name-services.com ; dns3.name-services.com ; dns4.name-services.com ; dns5.name-services.com ;
schoensigns.com GoDaddy.com, LLC 2008-10-29 2018-10-29 null null ; ns.hostingsrvr.com ; ns1.hostingsrvr.com ; ns2.hostingsrvr.com ;
pciholog.ru RUCENTER-REG-RIPN 2006-12-28 2017-12-28 null null ; ns1.rusonyx.ru ; ns2.rusonyx.ru ;
scouting-bvb.nl Stichting Internet Domeinregistratie NL null 5611NA EIND null null ; ns1.webreus.nl ; ns3.webreus.nl ;

technigrafite is currently available, can this be something malware authors plan to register in the future?

Three are 7-11 years old and are legitimate sites which were hacked to serve locky and have not yet been cleaned.

We tried to reach out to owners of the websites but couldn’t find useful information.

We highly recommend you blocking these domains in your firewalls. Mjolnir Security customers are automatically protected using our Patent pending technology. If you are concerned you dont have adequate protection, get in touch with us now.  And if you are just looking for IOC’s, here’s some:

category type value comment
Network activity hostname cutwell.ca
Network activity url http://cutwell.ca/8etyfh3ni
Artifacts dropped md5 3ba59430e3a75cf5c6ec1b7fcc5dfe33
Network activity ip-dst 98.124.251.68 cutwell.ca
Network activity url http://ericweb.co.za/8etyfh3ni
Network activity hostname ericweb.co.za
Network activity url http://pciholog.ru/8etyfh3ni
Network activity ip-dst 196.25.211.127 ericweb.co.za
Network activity hostname pciholog.ru
Network activity url http://schoensigns.com/8etyfh3ni
Network activity hostname schoensigns.com
Network activity ip-dst 89.253.235.118 pciholog.ru
Network activity ip-dst 184.168.126.30 schoensigns.com
Network activity url http://scouting-bvb.nl/8etyfh3ni
Network activity hostname scouting-bvb.nl
Network activity ip-dst 62.75.132.67 shopsshops.de
Network activity url http://shopsshops.de/8etyfh3ni
Network activity hostname shopsshops.de
Network activity ip-dst 46.235.44.76 scouting-bvb.nl
Network activity ip-dst 98.124.251.75 smarterbaby.com
Network activity url http://spazioireos.it/8etyfh3ni
Network activity url http://smarterbaby.com/8etyfh3ni
Network activity hostname smarterbaby.com
Network activity ip-dst 81.29.205.233 spazioireos.it
Network activity hostname spazioireos.it
Network activity url http://tailer.it/8etyfh3ni
Network activity ip-dst 89.96.90.14 tailer.it
Network activity hostname tarimsalteknoloji.com
Network activity url http://tarimsalteknoloji.com/8etyfh3ni
Network activity hostname tailer.it
Network activity url http://tecnigrafite.com/8etyfh3ni
Network activity hostname tecnigrafite.com
Network activity ip-dst 185.150.128.21 tarimsalteknoloji.com
Network activity ip-dst 46.235.43.11 turfschiploge.nl
Network activity url http://turfschiploge.nl/8etyfh3ni
Network activity hostname turfschiploge.nl
Network activity url http://derainlay.info/p66/8etyfh3ni
Network activity hostname derainlay.info

Written by: Mjolnir Security

Tagged as: , , , , .

Previous post

Similar posts