The new Locky ransomware has been making big headlines
recently due to its reported links to the Dridex botnet. This week, the team at
Wapack Labs took a closer look at a unique malicious macro that has been
downloading Locky payloads for the past couple days.
Similar to Dridex, the macro is delivered via large scale
phishing attacks and it is embedded in Microsoft Excel documents. The good news
is the macro will not be launched upon rendering the host document, it requires
user interaction in order to enable it.
All macro malware will either launch embedded files or
download remote files. Variants that download malware have become increasingly
popular as they trigger less static detections. Typically the download URLs
that are embedded in these macros are obfuscated so as to make detection and
analysis more difficult. Fortunately, these URL obfuscation tactics are often rudimentary
and they also present unique artifacts for malware identification.
The Locky macro is no different. Close to 300 specimens were
identified and every one makes use of the same simple URL obfuscation. This
method is characterized by ASCII character codes which are delimited with |1.
The following is an example observed in strings:
After
removing the |1 delimiter and converting the remaining ASCII codes, we are left
with the download URL which consists of a compromised website. Despite identifying hundreds of recent
specimens in the past two days, only 17 distinct URL download sites were identified
– all delivering the same payload.
meow://organichorsesupplements.co.uk/system/logs/7647gd7b43f43[.]exe
meow://vipkalyan.com.ua/system/logs/7647gd7b43f43[.]exe
meow://sekiedge.co.uk/system/logs/7647gd7b43f43[.]exe
meow://tramviet.vn/system/logs/7647gd7b43f43[.]exe
meow://jurisdocs.3forcom.net/system/logs/7647gd7b43f43[.]exe
meow://shop.zoomyoo.com/image/templates/7647gd7b43f43[.]exe
meow://kaminus.com.ua/admin/view/7647gd7b43f43[.]exe
meow://cms.insviluppo.net/images/slides/7647gd7b43f43[.]exe
meow://sugarhouse928.com.my/system/logs/7647gd7b43f43[.]exe
meow://ramevent.ru/system/logs/7647gd7b43f43[.]exe
meow://merichome.com/system/logs/7647gd7b43f43[.]exe
meow://alkofuror.com/system/engine/7647gd7b43f43[.]exe
meow://tutikutyu.hu/system/logs/7647gd7b43f43[.]exe
meow://mppl.ca/system/logs/7647gd7b43f43[.]exe
meow://remont-krovlia.ru/system/cache/7647gd7b43f43[.]exe
meow://neways-eurasia.com.ua/system/logs/7647gd7b43f43[.]exe
meow://acilkiyafetgulertekstil.com/system/logs/7647gd7b43f43[.]exe
All observed file names use the same naming convention which
contains the prefix “Rechnung”, German for bill, followed by randomized hex
ascii. Examples:
Rechnung-FF8-16909.xls
Rechnung-649-748599.xls
Rechnung-784-074688.xls
Rechnung-56BE-68985.xls
Rechnung-AA-62891.xls
Rechnung-674-80222.xls
Among all of these Locky macros, there was no consistent AV
detection ratio. Some had zero detection while others had over 20.
Nevertheless, a large amount had poor detection with more than 40% detected by
less than 10 AV vendors. Unfortunately, this poor AV detection exemplifies
macro malware as a whole and explains the popularity of this tactic.
We suspect that we haven’t seen the last of Locky and that
more of these will be popping up in the near future. Happy hunting and stay
vigilant!
Analyst Resources:
The following python code may be used to de-obfuscate the
Locky macro URLs:
|
url =
'1104|1116|1116|1112|1058|1047|1047|1110|1101|1119|1097|1121|1115|1045|1101|1117|1114|
1097|1115|1105|1097|1046|1099|1111|1109|1046|1117|1097|1047|1115|1121|1115|1116|1101|
1109|1047|1108|1111|1103|1115|1047|1055|1054|1052|1055|1103|1100|1055|1098|1052|1051|1102|
1052|1051|1046|1101|1120|1101'
url = url[1:]
url =
url.split('|1')
url_int = []
for u in url:
url_int.append(int(u))
decoded_url =
''.join(chr(i) for i in url_int)
print
decoded_url
|
The following yara rule will detect files that leverage the
URL obfuscation observed in the Locky macro downloaders:
|
rule
Locky_URL_Encoding
{
meta:
description
= "Detects unique URL obfuscation seen in Locky macro downloaders"
author
= "Chris Hall (chall@wapacklabs.com)"
strings:
$http
= "1104|1116|1116|1112"
$exe
= "|1046|1101|1120|1101"
condition:
all
of them
}
|
