220.127.116.11 – imex.atspace.com – GET /sxqtddp?VlwYKkCOYvI=axCugUhsM
18.104.22.168 – archiviestoria.it – GET /waotorf?VlwYKkCOYvI=axCugUhsM
22.214.171.124 – tlehsdy.biz – POST /data/info.php
File name: xVTvTcaaG1
File name: xVTvTcaaG2
File name: xVTvTcaaG2.dll
The infection starts with a user getting malspam. This email is coming from a iCloud account and it contains a zipped Windows Script File (.wsf):
A couple months back the threat actors behind this campaign started using zipped Windows Script Files. Windows Script Files allow them to mix multiple languages (JScript, VBScript, etc.) within a single XML formatted file. This file format allowed them to easily repackage their existing JScript code into a .wsf container .
Once the .wsf is executed the code retrieves Locky from distribution sites.
The .WSF Code:
There is a lot to unpack when looking at the code (which I am dubbing “chikabombomchika” since it sounds funny and because it’s being used everywhere for obfuscation), however, if we look at the code we can see how the HTTP requests are generated.
The following two pictures are unedited. They show the original encoding and obfuscation techniques used by the criminals:
After decoding and deobfuscating some of the code we are left with something like this:
All strings proceeding the identifier called “tiiimayooo” will be decoded from base64. All strings matching “HROMOSOM” are removed during decoding.
Here is what the code looks like when it’s partially de-obfuscated and decoded:
The code appends both “http://” and “?VlwYKkCOYvI=axCugUhsM” to complete the full URL.
You can also see var HORDA17 = “xVTvTcaaG”. That string represents the filename downloaded by the host.
Just to double check I looked at the traffic in Wireshark and it matches:
The second domain in the array (www.archiviestoria[.]it) returned the file xVTvTcaaG2 and then appended the file with .dll creating xVTvTcaaG2.dll.
My coworker ended up doing an awesome job fully decoding, deciphering and de-obfuscating the code. He also added some very helpful annotations. Here is a snippet of his work:
Once the .wsf has been executed and the GET requests are generated you will notice the files appearing in the user’s %TEMP%:
After infection I captured POST requests to tlehsdy.biz/data/info.php, which is resolving to 126.96.36.199.
Files are encrypted, renamed and appended with .zepto. Ransom notes then begin to drop and open in the usual locations: