Next up. A look at Locky Ransomware

Dr. Peter Stephenson
Dr. Peter Stephenson

We've been examining some of the newer - or, at least, most currently prevalent - strains of ransomware.  This time we look at Locky. Locky hit the scene in February of 2016 and it has some similarities to the Dridex Trojan in terms of how it is spread (spam campaigns). Interestingly, it is common for a domain serving Locky to serve several other malwares including Dridex and other ransomware.  Figure 1 shows a Maltego chart of one such site, owlcrypter.com. This domain is associated with TheWebGuy, an actor also known as CrypterOne. Owlcrypter.com's registrant - from OpenDNS and Whois - is memcpy, email is  memcpy09@gmail.com. Looking for related domains, we find

    • owlcrypter.com
    • crypter.one
    • vps-11596.fhnet.fr
    • mail.benzemra.org
    • www.benzemra.org

all of which are hosted by 185.13.37.170, a network in France.

Figure 1 - Malware Associated with Owlcrypter.com

 

Looking up the whois info for Dridex purveyors we also find a network owner in France. However, there is an interesting difference between the two: the number of actual owners of the Dridex botnet are quite limited. That is not the case with Locky.  What that suggests is that one could block a predictable number of domains for Dridex but not for Locky. Unfortunately it is not quite that simple. The Feodo tracker (Feodo is an AKA for Cridex, Dridex and Bugat) shows a rather large number of C & C IPs, although not very many are on line at any particular time. To keep track of Dridex https://feodotracker.abuse.ch is useful. Sadly, there is no such comprehensive tracking site for Locky. For example, AlienVault's Open Threat Exchange (OTX) has 164 IPs and 151 URLs and domains.

Locky usually is spread in spam. Detecting and eliminating spam, then, is a good first line of defense. Four our analysis we are going to borrow from some other bloggers - recall that I tend to avoid re-inventing wheels and if there is a good reversal I tend to us it. The folks at Malwarebytes have done an excellent job of reversing several samples of Locky and their analysis is a pretty good hybrid of those samples, making it a good way to look at the bug.

While Malwarebytes says that Locky is delivered by a downloader in an MS Office doc, more recently we are seeing it in JavaScript attachments which means that anything that could be associated with such an attachment is a possible vector.  While MS docs still are a big risk in this regard - embedded macros are the culprit here - now just about any app or document that runs a JavaScript could be the culprit.

Back to our discussion of Dridex, this is a good time to point out that a lot of the Dridex botnet delivery mechanism is responsible for Locky distribution.  That suggests that the two are products of the same group of malware writers. When we use Maltego to associate Dridex and Locky with domains, we find that both are associated with Ow.ly, Lnkd.in, Buff.ly and Bit.ly.  Each of these domains is explicitly associated with several attack types.  Further investigation of these domains reveals that they are hosting several IPs that explicitly distribute spam, phishing and malware.  There is a lesson here... these are URL shorteners.  That means that the bad guys have taken advantage of them to obfuscate the actual URLs or domains that are spreading their malware.  This makes it a bit harder to protect against.  Some organizations have explicitly forbidden the use of domain name or URL shorteners.  That really is not a lot of help in this case because the user is clicking on them, not creating them.

A good solution is to put the shortened domain or URL into the Open Threat  Intelligence system (https://cymon.io) and see what you get.  We put Ow.ly into CyMon and got a long list of associated IPs.  These are IPs associated with shortened URLs or domains where some form of malicious activity has been reported.  Picking one that is very recent (about an hour before I selected it) we see that it is associated with malware, phishing, malicious activities and it is found in blacklists.  Let's dig a bit deeper.

The IP is 31.220.16.202.  OpenDNS Investigate tells us that it is hosted by a Lithuanian hosting company and is associated with a malicious Spanish domain, mir-animashek.hol.es.  Tracing the whois on this we find that the nameservers are Russian and that OpenDNS is blocking it. If we put this back into CyMon, we find that it is hosting several malicious domains including:

·         omoingvdshd.96.lt

·         service247.zz.mu

·         amchasaaweikolos.esy.es

·         new-info.esy.es

·         zpcsblacdevil.hol.es

·         nmwln.url.ph

·         ebay.com-motors-item-item7nd38.esy.es

·         drive-google-098765dfff03003838.wc.lt

·         www.prn-vid.esy.es

·         amw1.16mb.com

Now we have something we can block.  Remember, though, that blocking these domains does not mean that you've solved the problem.  You will need to do the same exercise with the other domain name shorteners and then remain vigilant going forward.  The bad guys don't stick to a single delivery mechanism.

The Malwarebytes analysis used a sample with a hash of 74dde1905eff75cf3328832988a785de. The payload on this one is a Windows PE (portable executable) and there likely will be several, all with cryptic filenames and all with .exe file extensions. Now it gets a little trickier to spot.  It renames the dropped copy to svchost.exe, a very common process in Windows.  This starts encrypting your files. It hen generates the ransom note in both text and bitmap forms.

To find exactly when the infection occurred and where it was contracted, you need to take a forensic image of the infected computer's damaged disk.  Examining the image in one of the popular computer forensic tools - FTK is my favorite at the moment, although I also like Autopsy, a free tool - you are looking for some specific things. 

First, find the ransom notes and observe the date/time stamps on them.  That will get you in the ball park.  Next, sort files on their date/time stamps and look for executables created at about the time the ransom notes were created.  That will focus you in a bit more. From here it gets a bit intuitive because there is no real consistency with how the executables and droppers were named.  What we do know is that a svchost.exe file was created so we can start there. Going to the registry we can search on "Locky" and we may be able to identify the particular svchost.exe and its location.  We also can find the RSA public key.  If we are lucky, all of this will be in the HKEY_CURRENT_USER\Software\Locky hive key. Correlating these times/dates with sites visited may help you identify the source.  Remember, though, if this spreads to share drives, your difficulty in tracking it down will be increased markedly.

Your best bet is to isolate "patient-zero" if you can and do the forensics. Since returning the system to full functionality always is the primary goal, don't wait to begin restoring from backups (remember that if your backup was taken too close to the infection you may just be restoring the infection).  In cases I've investigated, we pulled the drive out of patient-zero and replaced it, re-imaging the drive to return it to service.  That gave me the time with the infected drive to do the forensics.

At this point I am going to refer you to the Malwarebytes blog for a deeper dive if you are so inclined: https://blog.malwarebytes.org/threat-analysis/2016/03/look-into-locky/. I also highly recommend AlienValut's OTX entry.  This takes off from the Malwarebytes analysis and provides a huge number of indicators of compromise for you. It is at https://otx.alienvault.com/pulse/5713ffca0ebaa4015bf20550/. One project I'm working on is a Stix analysis of the campaign.

That wraps it for this one... here's your Malware Domain list for this time. I'll point out that this is extraordinarily long and does not include over 200 iterations of two particular domains. Before I give you the list, let's take a brief look at three particular sources that appear, in fact, to be the same bad guys.  There are three IPs/domains that are heavily involved in serving the Angler Exploit Kit.

The first is 89.36.212.162. Reverse lookup is host162-212-36-89.static.arubacloud.fr. Even though it appears to be from France, the registrants and the nameservers are in Italy. It shows up in CyMon as malicious and blacklisted.  Note that there are multiple reverse lookups for this IP depending upon which domain/URL it is hosting.

The next is 45.32.153.167. That reverses to 45.32.153.167.vultr.com and is hosted in the US. The final one is 89.36.213.228 and it traces back to the first IP. Looking at the domains hosted by this IP in OpenDNS Investigate we find that most, if not all, are likely created using a domain generation algorithm. These are overwhelmingly reported as malicious. They also are pretty much all using the domain extension ".top" which is a domain registered by the Jiangsu Bangning Science & technology Co. Ltd in China. Likewise the 45.32.153.167 IP has hundreds of domains, all with DGA created names and all also registered to the same organization in China.

While I do not usually recommend blocking IPs, these three should be blocked. In addition, block any domain ending in .top.

Figure 2 - Malware Domain List from http://www.malwaredomainlist.com/

(Click on the chart below to see the full version)


 

So… until next time….

--Dr.S

If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – focused on technical, all interesting stories and definitely on target.

You must be a registered member of SC Magazine to post a comment.
close

Next Article in The Threat Hunter Blog

RECENT COMMENTS

Sign up to our newsletters

FOLLOW US