2017-11-09 - NECURS BOTNET MALSPAM STILL PUSHING LOCKY RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the spreadsheet tracker:  2017-11-09-Necurs-Botnet-malspam-tracker.csv.zip   1.2 kB (1,219 bytes)
• Zip archive of the pcaps:  2017-11-09-Necurs-Botnet-malspam-pushes-Locky-ransomare-2-pcaps.zip   804.5 kB (804,476 bytes)
• Zip archive of the malspam and artifacts:  2017-11-09-Necurs-Botnet-malspam-and-Locky-ransomware-samples.zip   2.3 MB (2,277,493 bytes)

 

NOTES:

• Basically the same stuff we've been seeing from the Necurs Botnet since Friday 2017-11-03.
• I hadn't properly documented it yet, so here it is!

Shown above:  Chain of events for the recent infections.

 

EMAILS

Shown above:  Screenshot from the spreadsheet tracker.

 

EMAIL HEADERS:

• Date: Thursday 2017-11-09 as early as 12:11 UTC through at least 23:00 UTC

• From (spoofed):  copier@[recipient's email domain]
• From (spoofed):  Ana <Ana.9526@[recipient's email domain]>
• From (spoofed):  Betty <Betty.12[recipient's email domain]>
• From (spoofed):  Earline <Earline.052[recipient's email domain]>
• From (spoofed):  Geneva <Geneva.3140@[recipient's email domain]>
• From (spoofed):  Jenna <Jenna.14[recipient's email domain]>
• From (spoofed):  Leanne <Leanne.987[recipient's email domain]>
• From (spoofed):  Melisa <Melisa.8936@[recipient's email domain]>
• From (spoofed):  Rosetta <Rosetta.3435@[recipient's email domain]>
• From (spoofed):  Terra <Terra.24[recipient's email domain]>
• From (spoofed):  Toni <Toni.410[recipient's email domain]>

• Subject:  Scanned from Canon
• Subject:  Scanned from Epson
• Subject:  Scanned from HP
• Subject:  Scanned from Lexmark
• Subject:  Document
• Subject:  Documents
• Subject:  Invoice
• Subject:  Paper
• Subject:  Order
• Subject:  Reciept
• Subject:  Scan
• Subject:  Scanned document

 

WORD ATTACHMENTS

Shown above:  An example of the attached Word documents.

 

Shown above:  A closer look at the embedded object (a shortcut for PowerShell to download and run Locky ransomware).

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  PowerShell loading script with list of URLs for Locky ransomware.

 

Shown above:  PowerShell downloading the Locky ransomware binary.

 

URLS GENERATED BY THE WORD ATTACHMENTS - FIRST WAVE:

• hxxp[:]//olamoth[.]com/309
• hxxp[:]//wayfarerbest[.]com/309

URLS GENERATED BY THE WORD ATTACHMENTS - SECOND WAVE:

• hxxp[:]//holidays-auction[.]com/505
• hxxp[:]//horoskoperstellung[.]com/505
• hxxp[:]//jw-portal.hosting-jw[.]de/505

URLS TO RETRIEVE LOCKY RANSOMWARE BINARY - FIRST WAVE:

• hxxp[:]//67.199.41[.]9/hjkdfhJH73td
• hxxp[:]//purenergy[.]it/hjkdfhJH73td
• hxxp[:]//phonecenter24[.]de/hjkdfhJH73td
• hxxp[:]//procuradores-elche[.]com/hjkdfhJH73td
• hxxp[:]//tci.seventhworld[.]com/hjkdfhJH73td

URLS TO RETRIEVE LOCKY RANSOMWARE BINARY - SECOND WAVE:

• hxxp[:]//336.linux1.testsider[.]dk/kjgjhdg4
• hxxp[:]//primeassociatesinc[.]com/kjgjhdg4
• hxxp[:]//vallei-elektrotechniek[.]nl/kjgjhdg4
• hxxp[:]//testbxc.u-host[.]ru/kjgjhdg4

 

FILE HASHES

ATTACHED WORD DOCUMENTS:

• SHA256 hash:  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf
  File size:  148,426 bytes
  File name example:  image2017-11-09-4478862.doc
  URL generated by PowerShell shortcut:  olamoth[.]com/309

• SHA256 hash:  bf2ef3c514cbea1e55d6829746550968b192e067d882a2ba2afabf0b79d968c5
  File size:  148,449 bytes
  File name example:  image2017-11-09-2564039.doc
  URL generated by PowerShell shortcut:  wayfarerbest[.]com/309

• SHA256 hash:  e70005cad5ebb6f0085ddd0e767d3e8965ed9e0d3437052bb2c5ac9265ddcf56
  File size:  148,458 bytes
  File name example:  HYD0000145.doc
  URL generated by PowerShell shortcut:  holidays-auction[.]com/505

• SHA256 hash:  a77f63d2af47cd72dd7bb871400c29670873adcff7c05dc30824718daeb0f525
  File size:  148,445 bytes
  File name example:  AAS00044928.doc
  URL generated by PowerShell shortcut:  horoskoperstellung[.]com/505

• SHA256 hash:  32d90e533bd636ecb4490f67f0db0323fbb279ff3ca2ade120037b7c906798fb
  File size:  148,445 bytes
  File name example:  ELG00019082.doc
  URL generated by PowerShell shortcut:  jw-portal.hosting-jw[.]de/505

DOWNLOADED LOCKY RANSOMWARE BINARIES:

• SHA256 hash:  48c7a0da6261e557e6cd12e81ba8b577492d477d8d21c0bbd8420dc9cb613867
  File size:  774,144 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\thickm2.exe

• SHA256 hash:  e37ffad79863d12a3b62190d653d8e4d7f0b88c261d83e85639699829db06f51
  File size:  790,528 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\thickm2.exe

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Click here to return to the main page.