• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Locky Vigilante

March 23, 2016 By Rob Collins

Recently, while working with LastLine (our APT Blocker provider) on what I thought was a low score for a ransomware file, I uncovered something unusual. A lot of ransomware is currently being sent as a JavaScript (.js) attachment in emails. JavaScript on its own is relatively harmless, but it can be used to download and run more harmful files. In this instance, the JavaScript indeed downloaded an executable file from a compromised WordPress site (hxxp://www.xxxxxxxx.it/wp-content/plugins/hello123/89h766b.exe), which obviously seemed suspicious, and led me to believe that it was a malicious file. However, our advanced threat prevention system only gave the file a score of 0/100, suggesting it was benign. What was going on?

Initially, I thought our system missed a threat. Turns out, that despite being called “89h766b.exe”, it was in fact a harmless text file containing the text “STUPID LOCKY”.

Stupid Locky

So why did this seemingly malicious email campaign only spread a harmless text message complaining about Locky? My best guess is that some well-intentioned vigilante gained access to the command and control infrastructure attackers use to deliver their malicious executables. It looks like this vigilante replaced the harmful ransomware file with an innocuous text file, thus preventing the evil email campaign from working. While we thank the vigilante for their efforts, we recommend customers do not allow emails with .js attachments and use APT Blocker. — Rob Collins

Share This:

Related

Filed Under: Editorial Articles

Comments

  1. Sam says

    May 23, 2016 at 3:14 am

    Hello Rob. I have been infected with the same script. Can you tell me the hostname from where the script was trying to download the file? and also the name of the script? How can i identify the host which has this script running. In my case, my IPS is catching the connection to this site an the source ip is that of my proxy but there are no logs on the proxy for this connection.

    Reply
  2. Rob Collins says

    May 23, 2016 at 4:44 pm

    Locky was using many download locations, and not all of them had been replaced by the harmless file. Various ports are often used to download the file too, so maybe the proxy is just not logging for ports other than 80 and 443? What about firewall logs? Without knowing your environment better, there is little I can use to guide you, but using UTM instead of separate IPS and Explicit Proxies certainly makes the process of detection and configuration for prevention.a lot easier.

    Reply
  3. Sam says

    May 24, 2016 at 12:24 am

    Thank you for your reply.

    My IPS was able to capture the packet going out, so far it is using the same hostname “www.esercizinuoto.it” in the http header but if i try to resolve this domain name, it doesn’t give any results plus the destination ip keeps changing. by the way, it is still using port 80 to connect to the new ip which is “204.51.93.134”. It would just attempt once to connect in 24 hours, if it fails it doesn’t try again. The next day it would try again with 40 minutes and 15 seconds less than the day before.The complete header information is as below:

    Expert Info (Chat/Sequence): GET /wp-content/plugins/hello123/89h766b.exe HTTP/1.1rn
    Message: GET /wp-content/plugins/hello123/89h766b.exe HTTP/1.1rn
    Severity level: Chat
    Group: Sequence
    Request Method: GET
    Request URI: /wp-content/plugins/hello123/89h766b.exe
    Request Version: HTTP/1.1

    Host http://www.esercizinuoto.it

    Accept text/html, */*

    Connection close

    Full request URI http://www.esercizinuoto.it/wp-content/plugins/hello123/89h766b.exe

    The strange part is, there are no logs generating in our core firewall. The only log i can see is at the perimeter firewall which too shows the proxy’s ip. I did a tcpdump on my core switch using http filter in order to capture the host but i captured nothing. It’s very weird to be honest.

    Anyways, thanks for the help 🙂

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use