Locky and Dridex - New Wine in Old Bottles
Peter Stephenson, technology editor, SC Magazine
The computer media has been screaming it for the past few days: Locky is back! Dridex is back! Of course they are… these are two of the most prolific – and prosperous – malwares around at the moment. Why would anyone think that they had dried up and blown away? The only thing that would cause that would be a better Locky and a better Dridex. And that is what we seem to have.
Antonio Cocomazzi has done a nice reverse of the current Locky in Pierluigi Paganini's blog so I won't waste your time with it here. However, I got the same sample and took a close look at it. One of the domains upon which I focused was yourworshipspace.com because in just about every list of IOCs that I saw it was consistently present. The first thing to do was to associate this with other domains, IPs, URLs and malwares. For that we need Maltego.
We use the Community Edition for now but we are purchasing the commercial version soon so you'll be able to see a bit more detail then. For now, though, there is more detail than we really need. Depending upon how discriminating you are when running Maltego transforms, you can get a lot of good data or, in addition, you can get a lot of false positives. That, unfortunately, is unavoidable at the start of a threat hunt. An overall picture of yourworshipspace.com is shown in Figure 1. As you can see there is a lot of noise but there is one part that is of particular interest.
Figure 1 - yourworshipspace.com Top Level Maltego Analysis
On our top level chart, we see a couple of clusters (I use the circle format because relationships jump out at you. Other layouts work well, too, but I tend to use them for refinement – it's really a matter of personal style). In the lower left corner there is a small circle of domains and one of them is our target – yourworshipspace.com. Figure 2 expands upon that.
Figure 2 - Expansion of yourworshipspace.com
Now, let's see what we can learn about this site. First, we'll back out a bit and see to what this connects. We will find that there are quite a few malwares delivered by this site and we also will find that there are a number of related sites, such DNS including mail exchangers and the like. Let's start with the malwares. Off to the left of our circle is a sort of moon-shaped cluster of brown dots… those are malwares that are associated with yourworshipspace.com.
Another interesting fact associated with the Maltego analysis of yourworshipspace.com is that the domain is not on Cocomazzi's list of 49 compromised domains. That really doesn't mean much by itself but that, taken with the older version of Locky suggests that the domain has been cleaned up. So let's look at one of Cocomazzi's domains: angeelle.nichost.ru. I picked that one at random and ran it in Maltego and found it associated with a much newer hash: 6ee97df4cd3561579b9d3c7201bd6ed3. If we run that in VirusTotal we find that it is much newer – first submitted on 27 June. The lesson for threat hunters here is that you really need to pursue multiple samples when you are chasing down malware and sites distributing it. So let's dig into this a bit more.
Let's assume that you don't have any domain names – all you have is the hash. You got that from your AV software when there was an attempt to infect you. You know that it's Locky and you run the hash in VirusTotal and find that it is the newest version. Now your objective is to identify domains associated with this version so you can block them. Back to Maltego. We'll stick the hash into Maltego and run the ThreatCrowd Enrich MD5 transform. When we do that we get four domains that are associated with the malware – distributing it, we may assume. They are shown in Figure 3.
Figure 3 - Most Current Locky Version Hash and Associated Domains from Maltego
However, that may not be everything that is available. In fact, only one domain is present in Cocomazzi's list so we have enhanced his list by three new domains: asliaypak.com, www.potolok-profit.ru and potolok-profit.ru. Let's dig further. We got a hint of a resource in Maltego when we used the ThreatCrowd enrich MD5 transform. So let's go to the horse – if you want to know what the horse has for breakfast, ask the horse. So we'll ask ThreatCrowd. It's a free service. When we feed it the hash we get a much enhanced picture. That picture is in Figure 4.
Figure 4 - ThreatCrowd Analysis of Current Locky Hash
We also note that we got a bit more than we bargained for. For example, we see that the file that the sample came from was unpaid_9998.js. That is consistent with Cocomazzi's findings. We also get an email address: firstname.lastname@example.org. It is tied to asliaypak.com. Perhaps this is the email of the registrant of that site? If so, does he/she have any other associated domains? This calls for OpenDNS Investigate. When we run the email there we find that, yes, there is at least one other domain: sevisanli.net. Hmmm… time for some pivoting. In ThreatCrowd we can do that easily so let's pivot on the email address and see what we get.
The results are interesting but don't give us a lot of really useful information. It shows no direct relationship with any other domain. However, from Investigate we know that asliaypak.com is guilty of Drive-by Downloads/Exploits and Malware. We also see another domain, this one apparently more benign. The domain is sevisanli.net. We find that this is Turkish domain and that our email address is the for the administrative/technical representative of the registrant. We also see that the registration expired in 2013 and there is no DNS activity. This is a dead domain and we can cross it off our list. Back to the original domain.
This one - asliaypak.com – is very active and has been especially active since 27 June. It is spreading several types of malware. Let's go back to Maltego and see what we can add to what we already have. We run the ThreatCrowd Enhance Domain transform and we see a lot of new information including some IPs – we'll get to them momentarily – and a lot of new malware. Most of the malware comes from www.potolok-profit.ru so we'll block that one for sure. “But…” you say… “nobody in our organization is likely to go to that Russian web site. Why bother?”
Recall that we have a history of drive-by exploits and malware? Also, it is not unlikely that a legitimate site – perhaps one in Cocomazzi's list – does a re-direct. So, we'll block it just in case. The expanded Maltego chart looks like Figure 5.
Figure 5 - Expanded Maltego Chart of Locky Spread
Now, back to the IPs that we found on our Maltego chart. Here they are with the Investigate and CyMon findings (CyMon.io is an excellent open threat intelligence site):
IP Investigate CyMon Note
220.127.116.11 – US IP. Heavy malware spreader Malware and malicious activities – active - 1
18.104.22.168 – US IP. Heavy malware spreader Malware and malicious activities – active - 2
22.214.171.124 – RU IP Malicious activities - 3
126.96.36.199 – RU IP. Heavy malware spreader Malware and malicious activities – active - 4
188.8.131.52 – – RU IP. Heavy malware spreader Malware and malicious activities – active - 5
Some associated domains and URLs:
Note 1 -
Note 2 –
· Same info as Note 1
Note 3 –
Note 4 –
Notice that these IPs host multiple malicious domains and URLs. This becomes a blocklist for you just in case your other blocklists haven't picked up all of these.
So you can see how we can take a single md5 hash that we observe in our quarantines and expand it into a blocklist of IPs, domains and URLs. Next time we'll take up Dridex re-mastered.
Here is your malicious domain list for this week.
Figure 6 - Malicious Domain List
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on the technical, all interesting stories and definitely on target.