Combining two malware programs into one phishing campaign forces security pros to execute different incident responses in differently affected regions, PhishMe explains.
Combining two malware programs into one phishing campaign forces security pros to execute different incident responses in differently affected regions, PhishMe explains.

Researchers at PhishMe recently detected two email-based phishing campaigns that infected users with either Locky ransomware or the Trickbot banking trojan based on the victim's geographical location – a technique that the company claims is rather uncommon.

According to a company blog post published last week, the first campaign on Sept. 28 was designed to distribute TrickBot to targets in Australia, Belgium, Ireland, Luxembourg, and the UK. All other locations received Locky. This operation was followed by another Trickbot-Locky phishing campaign on Oct. 11, which relied on a malicious script that had recently evolved to include a command-and-control reporting mechanism.

Both campaigns were part of a larger effort to distribute two new variants of Locky known as Ykcol and Asasin, PhishMe Threat Intelligence Manager Brendan Griffin told SC Media. But these two examples stood apart from the other contemporaneous campaigns because of how geography dictated whether the victim received the ransomware or TrickBot instead.

The combination of two threats in one also forces security professionals at multinational organizations to execute different incident response strategies in differently affected regions, the blog post explains.

"By using different tools, attackers open up multiple fronts where network defenders and information security professionals are presented with multiple potential threats to address at the same time," explain post authors and PhishMe threat analysts Neera Desai and Victor Cornell. "Without the help of sufficient context, could create a scenario that puts network defenders at a disadvantage."

In the Sept. 28 campaign, the phishing emails came with an attached .7z archive containing a malicious VBScript application responsible for delivering either Locky or TrickBot. The VBScript would make this determination by first querying three websites "that provide geo-IP services to determine where the target is located," the PhishMe report explains.

The Oct. 11 campaign worked very similarly, with a couple of notable enhancements. For one, the VBScript initiated a POST request to the C&C server, in order to signal a successful infection, as well as to convey the payload URL, Windows Host OS version and a unique identifier number. Also, the VBScript included references to the side-scrolling video game Cobalt. "This was likely an attempt to defeat heuristic scanning of the code," intelligence analyst Chase Sims explains in an Oct. 19 blog post.

A previous PhishMe report described a previous Locky phishing campaign that similarly used Game of Thrones references within the VBScript. 

In a separate report last September, Trend Micro reported on another spam campaign that served up either Locky or FakeGlobe ransomware, based on an ongoing rotation between the two programs.