Wednesday, 11 October 2017

Locky based Downloader adds a Geo IP Check

In the ongoing spam campaign of Locky, there is a small upgrade made by attackers in the delivery mechanism. The VBScript based downloaders have added a Geo IP check. Based on the geographical region in which the user is located, it either downloads Locky or Trickbot.

Below are some technical details:

MD5 hash: 6e2692c124a69566838cde01b7669532

In Figure 1, we can see the Geo IP check performed.

Figure 1

It connects to either of the following sites to fetch information in JSON format about the geographical location of the user:

Once it obtains this information, it checks whether the country code matches any of the following:

"GB", "UK", "AU", "LU", "BE", "IE"

The above country codes and their corresponding countries are:

GB - United Kingdom
UK - United Kingdom
AU - Australia
LU - Luxembourg
BE - Belgium
IE - Ireland

If the country code matches any of the above, then it will download Trickbot instead of Locky.

There is a different set of Download URLs for Locky and Trickbot as shown below:

If Ubound(Filter(need, choice)) > -1 Then
          ZimZamZum = Array("","","")
          ZimZamZum = Array("","","")
        End If

The URLs with the pattern: "jhbfvg7" correspond to Trickbot Download:

The URLs with the pattern: "8y6ghhfg" correspond to Locky Download:

The downloader in this case fetches the following samples based on the geographical region:

MD5 hash: dda37961870ce079defbf185eeeef905 (Locky which encrypts files with ".asasin" extension
MD5 hash: dbc0aa7e70df7e27ae9169ae0962e2cf (Trickbot)

No comments:

Post a Comment