Recently, while working with LastLine (our APT Blocker provider) on what I thought was a low score for a ransomware file, I uncovered something unusual. A lot of ransomware is currently being sent as a JavaScript (.js) attachment in emails. JavaScript on its own is relatively harmless, but it can be used to download and run more harmful files. In this instance, the JavaScript indeed downloaded an executable file from a compromised WordPress site (hxxp://www.xxxxxxxx.it/wp-content/plugins/hello123/89h766b.exe), which obviously seemed suspicious, and led me to believe that it was a malicious file. However, our advanced threat prevention system only gave the file a score of 0/100, suggesting it was benign. What was going on?
Initially, I thought our system missed a threat. Turns out, that despite being called “89h766b.exe”, it was in fact a harmless text file containing the text “STUPID LOCKY”.
So why did this seemingly malicious email campaign only spread a harmless text message complaining about Locky? My best guess is that some well-intentioned vigilante gained access to the command and control infrastructure attackers use to deliver their malicious executables. It looks like this vigilante replaced the harmful ransomware file with an innocuous text file, thus preventing the evil email campaign from working. While we thank the vigilante for their efforts, we recommend customers do not allow emails with .js attachments and use APT Blocker. — Rob Collins
Sam says
Hello Rob. I have been infected with the same script. Can you tell me the hostname from where the script was trying to download the file? and also the name of the script? How can i identify the host which has this script running. In my case, my IPS is catching the connection to this site an the source ip is that of my proxy but there are no logs on the proxy for this connection.
Rob Collins says
Locky was using many download locations, and not all of them had been replaced by the harmless file. Various ports are often used to download the file too, so maybe the proxy is just not logging for ports other than 80 and 443? What about firewall logs? Without knowing your environment better, there is little I can use to guide you, but using UTM instead of separate IPS and Explicit Proxies certainly makes the process of detection and configuration for prevention.a lot easier.
Sam says
Thank you for your reply.
My IPS was able to capture the packet going out, so far it is using the same hostname “www.esercizinuoto.it” in the http header but if i try to resolve this domain name, it doesn’t give any results plus the destination ip keeps changing. by the way, it is still using port 80 to connect to the new ip which is “204.51.93.134”. It would just attempt once to connect in 24 hours, if it fails it doesn’t try again. The next day it would try again with 40 minutes and 15 seconds less than the day before.The complete header information is as below:
Expert Info (Chat/Sequence): GET /wp-content/plugins/hello123/89h766b.exe HTTP/1.1rn
Message: GET /wp-content/plugins/hello123/89h766b.exe HTTP/1.1rn
Severity level: Chat
Group: Sequence
Request Method: GET
Request URI: /wp-content/plugins/hello123/89h766b.exe
Request Version: HTTP/1.1
Host http://www.esercizinuoto.it
Accept text/html, */*
Connection close
Full request URI http://www.esercizinuoto.it/wp-content/plugins/hello123/89h766b.exe
The strange part is, there are no logs generating in our core firewall. The only log i can see is at the perimeter firewall which too shows the proxy’s ip. I did a tcpdump on my core switch using http filter in order to capture the host but i captured nothing. It’s very weird to be honest.
Anyways, thanks for the help 🙂