Ahmed Sonbol

Malspam delivers Diablo6 Locky ransomware

Blog Post created by Ahmed Sonbol Employee on Aug 14, 2017

A malspam campaign was noted on Friday August 11th 2017 delivering "Diablo6", a variant of Locky ransomware. The new variant is named after the extension of the encrypted files on a victim machine. It is delivered via PDF documents with attached malicious Word documents. RSA FirstWatch discussed this delivery mechanism before and shared detection techniques using NetWitness Packets and the hunting pack. In this threat advisory we will discuss the network behavior of the recent campaign.

 

Here is an example of a delivery document. It has an attached Word document which in turn has a malicious macro. Social engineering is needed to lure the victim to bypass built-in measures in Adobe Reader and Microsoft Word in order to eventually run the malicious macro.

 

 

Submitting the PDF document (SHA256: e58662121738a24edf2341a4344a237d711fdb025dbe0a8f208205d99723209ato RSA pre-release What's This File service shows a medium threat score. It also displays information about embedded Javascript code to try to auto launch the attached Word document:

 

 

The embedded Word document itself (SHA256: e853432940466040561d30e2ee81a5e9785d64e6bead19372a9f585745a934fd) has a high threat score with different suspicious characteristics:

 

 

The VBA code reaches out to a delivery domain in order to download a payload, in this case a Locky ransomware variant (SHA256: 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e). Analysis report from hybrid-analysis.com can be found here

 

 

 

NetWitness Packets tagged the download sessions with the following meta values:

 

 

The network behavior was shared among different infected systems indicating an active campaign:

 

 

After a time delay, the executable starts to encrypt the files on the victim machine, then changes the desktop background and displays a note with the necessary instructions to pay the ransom before deleting itself from the system. The time delay is most likely used to evade sandbox technologies:

 

 

 

This Locky variant asks for 0.5 BTC to decrypt the victim files:

 

 

NetWitness Endpoint shows the following module IIOC's and tracking data for the ransomware:

 

 

All the delivery domains from this campaign will be added to FirstWatch C2 domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Previous RSA Link articles on Locky:

Outcomes