Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

By Julie Cabuhat, Michael Casayuran, Anthony Melgarejo

In the beginning of September, a sizeable spam campaign was detected distributing the latest Locky variant. Locky is a notorious ransomware that was first detected in the early months of 2016 and has continued to evolve and spread through different methods, particularly spam mail. A thorough look at samples from recent campaigns shows that cybercriminals are using sophisticated distribution methods, affecting users in more than 70 countries.

In the specific campaigns discussed below, both Locky and the ransomware FakeGlobe were being distributed—but the two were rotated. The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation.

Worldwide distribution and spam campaign analysis

Figure 1. Distribution of initial spam campaign

Figure 2. An example of the spam messages

This sample largely affected users in Japan, China, and the US; 45% of the spam was sent to over 70 other countries. Collectively, we blocked as many as 298,000 spam emails, and distribution peaked at 10 AM (UTC +4) on September 4, 2017.

Figure 3. Distribution of second spam campaign

Figure 4. An example of the second spam messages

This sample affected mostly users in Japan, China, and the US; 46% of the spam was sent to over 70 other countries. Distribution peaked at 4 PM (UTC +4) on September 4, 2017, and collectively we were able to block 284,000 spam emails.

The distribution time is typical of spam campaigns, coinciding with regular work hours when more users are likely to check their emails. Based on the timeline, affected countries, and similarities of the email, we can assume that the same source sent these two samples.

We tracked the sender IPs of this spam wave and found that most were from India, Vietnam, and Iran. A total of 185 different countries were involved in spreading these two samples, which gives us an idea of the distribution channel’s size.

Spam pushes rotating ransomware

The spam emails have a link and attachment (now a .7z or 7-zip instead of .zip), both disguised as legitimate invoices or bills targeting the user. The script inside the archive downloaded from the link and the one in the attachment are similar, but they connect to different URLs for their download attempts.

The script downloaded from the link in the email body contains the following URLs:

geolearner[.]com/JIKJHgft?
naturofind[.]org/p66/JIKJHgft
cabbiemail[.]com/JIKJHgft?

In comparison, the one in the attachment leads to the following URLs:

m-tensou[.]net/JIKJHgft?
naturofind[.]org/p66/JIKJHgft

While analyzing the scripts, we noted that they downloaded two different binaries. One script connecting to geolearner[.]com/JIKJHgft? downloaded a .lukitus variant of Locky with an affiliate ID of “3”. The affiliate ID and the victim ID are sent to Locky’s CnC servers, allowing the threat actors to determine how to distribute ransom payments.

Figure 5. Locky wallpaper and ransom note

Figure 6. Locky payment page

The second script, which connects to m-tensou[.]net/JIKJHgft?, downloads the FakeGlobe or “Globe Imposter” ransomware. FakeGlobe surfaced June of this year, also using fake invoices as a lure. It appends the .txt extension to the names of the encrypted files and features a support page that can help victims pay.

Figure 7. FakeGlobe ransom note

Figure 8. FakeGlobe support pages

After a few hours, we tried downloading from m-tensou[.]net/JIKJHgft? again and found that the file changed from FakeGlobe to Locky. This shows that the files downloaded from these URLs are being rotated.

Other campaigns push FakeGlobe and Locky

Reports detail another spam campaign also trying to distribute both Locky and FakeGlobe on August 30. Similar to the previous campaign discussed above, it only distributed Locky at first but adopted FakeGlobe soon after. The new wave pushing both ransomware was seen on September 5.

Figure 9. Spam sample pushing Locky and FakeGlobe

This spam campaign has a DOC file attachment with a malicious macro—a typical and widely-used tactic to trick the user into enabling macros, which are disabled by default.

Figure 10. Content of the DOC file that tricks users to enable macros

This downloader leverages the Auto Close VBA Macro. When the victim closes the DOC file, the macro will execute.

The DOC files we gathered connect to the following download URLs:

hxxp://qolseaboomdog[.]top/support[.]php?f=1
hxxp://newhostrcm[.]top/admin[.]php?f=1

During first analysis, they downloaded the .lukitus variant of Locky with affiliate ID “24”. Then we tried changing the parameter of f in the URL from 1 to 2:

hxxp://qolseaboomdog[.]top/support[.]php?f=2
hxxp://newhostrcm[.]top/admin[.]php?f=2

This time, it downloaded FakeGlobe. This variant appends .911 extension to the encrypted file names and drops !SOS!.html as a ransom note.

After a few hours, both parameters (f=1 and f-2) switched to pushing Locky, a behavior that was also observed on the other spam campaign. The next day, it was FakeGlobe’s turn to be downloaded through both parameters. We also discovered that support.php and admin.php are interchangeable.

Solutions and recommendations

This is not the first time we’ve seen download URLs serving different malware in rotation. However, typically the malware were different types, pairing information stealers and banking Trojans with ransomware. Now we see that cybercriminals are simply doubling up on ransomware, which is quite dangerous for users. Since Locky and FakeGlobe are being pushed alternately, files can be re-encrypted with a different ransomware. Victims will have to pay twice or worse, lose their data permanently.

Ransomware is a constantly evolving threat, but enterprises and end users can follow a set of best practices to improve their defense against ransomware.

Enterprises can benefit from a multi-layered, step-by-step approach to best mitigate the risks brought by spam mail. Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Also at the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat.

To combat the threat presented by Locky and FakeGlobe ransomware, Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

All solutions are powered by XGen™ security which provides a cross-generational blend of threat defense techniques and a connected threat defense that can protect your organization from unseen threats.

Related hashes:

VBScript files (downloaders) detected as VBS_NEMUCOD.ELDSAUO