I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns delivering GlobeImposter ransomware.
The attached .ZIP file contained a malicious VBS script being used as a downloader. Click HERE to view a Pastebin of the script.
Once the script is executed, the host will attempt to download the Locky payload from remote locations, which can be seen in the script.
A full list of download locations was posted on VirusTotal by the user coldshell:
The User-Agent to be used during the GET request is found within the code:
The GET request:
As Lawrence Abrams from BleepingComputer explains, “Once the file is downloaded and executed, it will scan the computer for files and encrypt them. When this Locky variant encrypts a file it will modify the file name and then append the .lukitus. When renaming the file, it uses the format [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus.”
The executable that was dropped into %Temp% is deleted after Locky has finished encrypting the user’s files.
Then, the user will see ransom notes called lukitus.htm and lukitus.bmp on their Desktop.
Network traffic shows the infected host making POST request to IP-literal hostnames. POST request were to 126.96.36.199 and the URI was /imageload.cgi.
The Reverse.it reports also shows more POST requests to 188.8.131.52/imageload.cgi. The ET rule being triggered from this traffic is “ET TROJAN Locky CnC checkin”.
File name: 618385655.vbs
File name: uEGvTvQ.exe
Until next time!