“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns delivering GlobeImposter ransomware.

email EDITED

The attached .ZIP file contained a malicious VBS script being used as a downloader. Click HERE to view a Pastebin of the script.

script

Once the script is executed, the host will attempt to download the Locky payload from remote locations, which can be seen in the script.

snippet of code

A full list of download locations was posted on VirusTotal by the user coldshell:

hxxp://ag.com/78wygGHDwf
hxxp://drommtoinononcechangerrer.info/af/78wygGHDwf
hxxp://glendoradrivingandtraffic.com/78wygGHDwf
hxxp://glostrap.com/78wygGHDwf
hxxp://gotcaughtdui.com/78wygGHDwf
hxxp://graficasicarpearanjuez.com/78wygGHDwf
hxxp://griffithphoto.com/78wygGHDwf
hxxp://grlarquitectura.com/78wygGHDwf
hxxp://grossklos.de/78wygGHDwf
hxxp://gruporoados.com/78wygGHDwf
hxxp://gruppostolfaedilizia.it/78wygGHDwf
hxxp://guestbook.secraterri.com/78wygGHDwf
hxxp://hendrikvankerkhove.be/78wygGHDwf
hxxp://informatica.com/78wygGHDwf

The User-Agent to be used during the GET request is found within the code:

user-agent

The GET request:

GET request
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

As Lawrence Abrams from BleepingComputer explains, “Once the file is downloaded and executed, it will scan the computer for files and encrypt them. When this Locky variant encrypts a file it will modify the file name and then append the .lukitus. When renaming the file, it uses the format [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus.”

encrypted files

The executable that was dropped into %Temp% is deleted after Locky has finished encrypting the user’s files.

temp

Then, the user will see ransom notes called lukitus.htm and lukitus.bmp on their Desktop.

ransom note

desktop

Network traffic shows the infected host making POST request to IP-literal hostnames. POST request were to 146.120.110.46 and the URI was /imageload.cgi.

HTTP traffic

The Reverse.it reports also shows more POST requests to 46.183.165.45/imageload.cgi. The ET rule being triggered from this traffic is “ET TROJAN Locky CnC checkin”.

Hashes:

SHA256: be2c02d91b3878d80d5341efc875d954acb876e157dee64ba1a96ca1ac63a4e7
File name: 618385655.vbs
Reverse.it report

SHA256: 4a532b1ae572e708aed8efc2acfb9a056b5140b8e1dbf6c7a9a79be4cef8a141
File name: uEGvTvQ.exe
Reverse.it report

Until next time!

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: