Threat Management, Malware, Ransomware

Phishing campaigns used victim’s location to determine whether to deliver Locky or Trickbot

Researchers at PhishMe recently detected two email-based phishing campaigns that infected users with either Locky ransomware or the Trickbot banking trojan based on the victim's geographical location – a technique that the company claims is rather uncommon.

According to a company blog post published last week, the first campaign on Sept. 28 was designed to distribute TrickBot to targets in Australia, Belgium, Ireland, Luxembourg, and the UK. All other locations received Locky. This operation was followed by another Trickbot-Locky phishing campaign on Oct. 11, which relied on a malicious script that had recently evolved to include a command-and-control reporting mechanism.

Both campaigns were part of a larger effort to distribute two new variants of Locky known as Ykcol and Asasin, PhishMe Threat Intelligence Manager Brendan Griffin told SC Media. But these two examples stood apart from the other contemporaneous campaigns because of how geography dictated whether the victim received the ransomware or TrickBot instead.

The combination of two threats in one also forces security professionals at multinational organizations to execute different incident response strategies in differently affected regions, the blog post explains.

"By using different tools, attackers open up multiple fronts where network defenders and information security professionals are presented with multiple potential threats to address at the same time," explain post authors and PhishMe threat analysts Neera Desai and Victor Cornell. "Without the help of sufficient context, could create a scenario that puts network defenders at a disadvantage."

In the Sept. 28 campaign, the phishing emails came with an attached .7z archive containing a malicious VBScript application responsible for delivering either Locky or TrickBot. The VBScript would make this determination by first querying three websites "that provide geo-IP services to determine where the target is located," the PhishMe report explains.

The Oct. 11 campaign worked very similarly, with a couple of notable enhancements. For one, the VBScript initiated a POST request to the C&C server, in order to signal a successful infection, as well as to convey the payload URL, Windows Host OS version and a unique identifier number. Also, the VBScript included references to the side-scrolling video game Cobalt. "This was likely an attempt to defeat heuristic scanning of the code," intelligence analyst Chase Sims explains in an Oct. 19 blog post.

A previous PhishMe report described a previous Locky phishing campaign that similarly used Game of Thrones references within the VBScript. 

In a separate report last September, Trend Micro reported on another spam campaign that served up either Locky or FakeGlobe ransomware, based on an ongoing rotation between the two programs.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.