A malspam campaign was noted on Friday August 11th 2017 delivering "Diablo6", a variant of Locky ransomware. The new variant is named after the extension of the encrypted files on a victim machine. It is delivered via PDF documents with attached malicious Word documents. RSA FirstWatch discussed this delivery mechanism before and shared detection techniques using NetWitness Packets and the hunting pack. In this threat advisory we will discuss the network behavior of the recent campaign.
Here is an example of a delivery document. It has an attached Word document which in turn has a malicious macro. Social engineering is needed to lure the victim to bypass built-in measures in Adobe Reader and Microsoft Word in order to eventually run the malicious macro.
The embedded Word document itself (SHA256: e853432940466040561d30e2ee81a5e9785d64e6bead19372a9f585745a934fd) has a high threat score with different suspicious characteristics:
The VBA code reaches out to a delivery domain in order to download a payload, in this case a Locky ransomware variant (SHA256: 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e). Analysis report from hybrid-analysis.com can be found here:
NetWitness Packets tagged the download sessions with the following meta values:
The network behavior was shared among different infected systems indicating an active campaign:
After a time delay, the executable starts to encrypt the files on the victim machine, then changes the desktop background and displays a note with the necessary instructions to pay the ransom before deleting itself from the system. The time delay is most likely used to evade sandbox technologies:
This Locky variant asks for 0.5 BTC to decrypt the victim files:
NetWitness Endpoint shows the following module IIOC's and tracking data for the ransomware:
All the delivery domains from this campaign will be added to FirstWatch C2 domains on Live with the following meta values: