In the ongoing spam campaign of Locky, there is a small upgrade made by attackers in the delivery mechanism. The VBScript based downloaders have added a Geo IP check. Based on the geographical region in which the user is located, it either downloads Locky or Trickbot.
Below are some technical details:
MD5 hash: 6e2692c124a69566838cde01b7669532
In Figure 1, we can see the Geo IP check performed.
It connects to either of the following sites to fetch information in JSON format about the geographical location of the user:
http://freegeoip.net/json/
http://www.geoplugin.net/json.gp
https://ipinfo.io/json
Once it obtains this information, it checks whether the country code matches any of the following:
"GB", "UK", "AU", "LU", "BE", "IE"
The above country codes and their corresponding countries are:
GB - United Kingdom
UK - United Kingdom
AU - Australia
LU - Luxembourg
BE - Belgium
IE - Ireland
If the country code matches any of the above, then it will download Trickbot instead of Locky.
There is a different set of Download URLs for Locky and Trickbot as shown below:
If Ubound(Filter(need, choice)) > -1 Then
ZimZamZum = Array("highlandfamily.org/jhbfvg7?","fetchstats.net/p66/jhbfvg7","bnphealthcare.com/jhbfvg7?")
Else
ZimZamZum = Array("team-bobcat.org/8y6ghhfg?","fetchstats.net/p66/8y6ghhfg","highpressurewelding.co.uk/8y6ghhfg?")
End If
The URLs with the pattern: "jhbfvg7" correspond to Trickbot Download:
highlandfamily.org/jhbfvg7?
fetchstats.net/p66/jhbfvg7
bnphealthcare.com/jhbfvg7?
The URLs with the pattern: "8y6ghhfg" correspond to Locky Download:
team-bobcat.org/8y6ghhfg?
fetchstats.net/p66/8y6ghhfg
highpressurewelding.co.uk/8y6ghhfg?
The downloader in this case fetches the following samples based on the geographical region:
MD5 hash: dda37961870ce079defbf185eeeef905 (Locky which encrypts files with ".asasin" extension
MD5 hash: dbc0aa7e70df7e27ae9169ae0962e2cf (Trickbot)
Below are some technical details:
MD5 hash: 6e2692c124a69566838cde01b7669532
In Figure 1, we can see the Geo IP check performed.
Figure 1
It connects to either of the following sites to fetch information in JSON format about the geographical location of the user:
http://freegeoip.net/json/
http://www.geoplugin.net/json.gp
https://ipinfo.io/json
Once it obtains this information, it checks whether the country code matches any of the following:
"GB", "UK", "AU", "LU", "BE", "IE"
The above country codes and their corresponding countries are:
GB - United Kingdom
UK - United Kingdom
AU - Australia
LU - Luxembourg
BE - Belgium
IE - Ireland
If the country code matches any of the above, then it will download Trickbot instead of Locky.
There is a different set of Download URLs for Locky and Trickbot as shown below:
If Ubound(Filter(need, choice)) > -1 Then
ZimZamZum = Array("highlandfamily.org/jhbfvg7?","fetchstats.net/p66/jhbfvg7","bnphealthcare.com/jhbfvg7?")
Else
ZimZamZum = Array("team-bobcat.org/8y6ghhfg?","fetchstats.net/p66/8y6ghhfg","highpressurewelding.co.uk/8y6ghhfg?")
End If
The URLs with the pattern: "jhbfvg7" correspond to Trickbot Download:
highlandfamily.org/jhbfvg7?
fetchstats.net/p66/jhbfvg7
bnphealthcare.com/jhbfvg7?
The URLs with the pattern: "8y6ghhfg" correspond to Locky Download:
team-bobcat.org/8y6ghhfg?
fetchstats.net/p66/8y6ghhfg
highpressurewelding.co.uk/8y6ghhfg?
The downloader in this case fetches the following samples based on the geographical region:
MD5 hash: dda37961870ce079defbf185eeeef905 (Locky which encrypts files with ".asasin" extension
MD5 hash: dbc0aa7e70df7e27ae9169ae0962e2cf (Trickbot)
No comments:
Post a Comment