CryptoLocker (Locky) served in the same way as Dridex.

Yesterday evening I realized that I have interesting e-mail (with attachment) in my personal mailbox.

 

File information:

The attachment: invoice_J-30151039.doc (Md5: 1cd1703ed73d8ebfbf17e361768710c8)

The mail content:

----------------------------------------------------------------------------------.
Dear XXXXX,
Please see the attached invoice (Microsoft Word Document) and remit payment
according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
Gavin Holt
Genuine Parts Company www.genpt.com
 ----------------------------------------------------------------------------------.

The header:

----------------------------------------------------------------------------------.
Return-Path: <HoltGavin4939@kard-stroy.ru>
Received: by o2.pl (o2.pl mailsystem) with LMTP;
Tue, 16 Feb 2016 17:03:48 +0100
Received: from host162.190-30-228.telecom.net.ar [190.30.228.162]
by mx6.o2.pl with ESMTP id pIUhnx;
Tue, 16 Feb 2016 17:01:00 +0100
Received-SPF: none (mx6.o2.pl: domain of HoltGavin4939@kard-stroy.ru
does not designate permitted sender hosts)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_158192296076524028743"
Date: Tue, 16 Feb 2016 13:00:59 -0300
From: Gavin Holt <HoltGavin4939@kard-stroy.ru>
----------------------------------------------------------------------------------.


Research: (Short analysis, due to lack of time)

  • Macro project was not even password protected …
  • oletools-0.42.1 and oledump_V0_0_22 were unable to decode any URL
  • As usual malicious code starts via autoopen() sub (Upon word document opening)
  • Function CallByName which I haven’t seen before is used for obfuscation.

“The CallByName function provides Visual Basic 6.0 with the ability to call a property or method of an object using a string at run-time”
Ref: https://support.microsoft.com/en-us/kb/186143

  • UserForm1 has only 1 control Label1 and its Caption does contain object names and parameters which will be used during code execution. Just based on this information the macro’s purpose can be easily predicted (it’s a Downloader)

Label1.Caption:

Microsoft.XMLHTTP/Adodb.Stream/Shell.Application/WScript.Shell/Process/GET/TEMP/Type/Open/write/responseBody/savetofile/\ladybi.txt

Label’s text is split by “/” and saved into public array variable DrinkSun which is then used to control the code…

  • Direct download of exe failed … the file was not available anymore. (Directory browsing of the server did not reveal any additional samples)
Not Found
 The requested URL /34gf5y/r34f3345g.exe was not found on this server.
    • Manual research of dropped samples on the Internet:

 

samples found by name on hybrid analysis:
.text, .rdata, .data have the same md5 hash, only .rsrc section is different across samples. (It likely means that malware functionality or obfuscation is accomplished via file resources modification)

samples found by name on malwr … indicates that it’s Possibly Trojan.Cryptolocker.AF (Locky)
All samples drops _Locky_recover_instructions.txt etc. 😉

  • Sample r34f3345g.exe can be downloaded from:

 

(MD5: cbe75061eb46adabc434ead22f85b36e)
https://malwr.com/analysis/MmQ2MDE0NmNlYmQxNGZkNzk0OTBkNzYzNmQxZmY3YTA/
https://www.hybrid-analysis.com/sample/c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5?environmentId=1

(MD5: 1fd40a253bab50aed41c285e982fca9c)
https://malwr.com/analysis/MjhjNWJmNmQ2MmVlNDJlNmEwMjlkMjFiZjc1ZDJmZDQ/
https://www.hybrid-analysis.com/sample/78e9558a9762cf778a3ba9ba61e0ec73e8d81c22d0945e56ea75d197c512883a?environmentId=1

(MD5: b06d9dd17c69ed2ae75d9e40b2631b42)

https://malwr.com/analysis/ZmFlNjc0ZDhmZjY0NGU0ZGE3NjgwOGE2ZTMyZmIzNTA/
https://www.hybrid-analysis.com/sample/bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3?environmentId=1

(MD5: fb6ca1cd232151d667f6cd2484fee8c8)
https://malwr.com/analysis/MzY2ZjhiNDQ2Zjk0NDk3Mjk1MGFiM2I2NDMwNmNiMWI/
https://www.hybrid-analysis.com/sample/17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2?environmentId=1

Final note:

Dropped samples will be analyzed when time allows … I would like to understand why only .rsrc section modification is enough to bypass heuristic detections (in some cases).
I did a quick research over the internet and it’s really surprising that this type of malware is hitting multiple users/companies/hospitals etc.

The remedy for corporations would be to block such attachments directly on the mail server or any other security appliance. (Additionally block documents with content not matching document’s extension etc. etc.)

…but still, if you have a non-educated user which is allowed to browse his personal mailbox via https … the only one thing you can do is to harden the endpoint and use application control rules like (prevent ms word from creating executables etc. etc.)

 

Disclaimer:

All opinions and rants expressed are solely my own and do not express the views or opinions of my employer
All content and data is my own and does not represent work I have done for my employee