Since its introduction in early 2016 and throughout this year, the distribution of the Locky ransomware has been overwhelmingly facilitated by attached script applications written in JScript or Visual Basic. These script applications have been delivered as the content of an attached archive such as a Zip or RAR file delivered as part of the email messages.
It seems that each time the information security community is ready to declare the Locky ransomware dead and gone, phishing threat actors launch new campaigns with new characteristics.
Locky’s presence on the threat landscape dates back to February 2016 when this malware formalized and matured the ransomware business model in phishing emails. Coupled with a tenacious distribution strategy, Locky dominated the phishing markets throughout 2016. Since early 2017, Locky’s presence on the threat landscape has been far more tepid. Its subdued presence on the threat landscape and intermittent distributions led to rumors that Locky was a thing of the past; many people were surprised when new Locky distributions took place. However, it is clear that despite a smaller degree of tenacity in deployment, the criminals using the Locky ransomware still see benefit from its use. And incremental changes in behavior indicate that these criminals are investing in future use, as well.
The most recent iterations of Locky distributions have replayed some of the simplest techniques for this malware’s distribution in phishing emails. The lures used in these phishing emails make vague references to document delivery, unpaid invoices, received voice mails, or receipts for payments, all examples of content used prolifically in the distribution of ransomware and other malware tools. Some standout examples demonstrate the compelling, yet vague messaging used to deliver this destructive malware.
Figure 1 – Locky phishing emails leverage vague, yet compelling narratives
While attackers continue to use similar phishing emails, the most recent Locky binaries demonstrate that small, incremental changes to the malware’s behavior are being implemented. These changes are mostly superficial but serve to break from expected norms in small ways. The first change, and likely the one to garner the most attention, was the use of two new file extensions applied to files encrypted by the ransomware. Previous iterations of Locky deployments have used extensions ranging from the sensible “.locky” to the more esoteric “.osiris”, “.odin”, and “.aesir” extensions.
In the past two weeks, two new, distinctive extensions have been used. The first, “.diablo6”, evokes a more intimidating ethos for the ransomware. Other samples use “.lukitus”, likely evoking the Finnish word for “locking.” Additionally, a more significant modification comes in the command and control callback resources leveraged by the ransomware to report new infections.
One of the simplest techniques for identifying a malware variety and its communications is to match suspicious traffic to known resource paths used by that malware. For many Locky samples in 2017, command and control resources could be identified by the presence of a “/checkupdate” callback URI path. However, this has also been replaced in recent samples that apply the “.lukitus” encrypted file extension by a “/imageload.cgi” resource path. For very tightly-tuned detection schemes, this change could result in the latter being categorized incorrectly because it represents a departure from the established norm for this malware.
|Locky “.diablo6” sample check-in URLs|
|Locky “.lukitis” sample check-in URLs|
Figure 2 – Small changes to command and control callback destination
Despite the numerous stories about Locky “comebacks,” each additional return to prominence serves as a reminder that the Locky ransomware and the business model it supports is a valuable monetary strategy for threat actors. As a result, it is unlikely that Locky will be fully unseated as a premier ransomware tool until a truly superior replacement emerges. Until then, it is imperative that network defenders and information security professionals continue to leverage intelligence on the behavior, techniques, and modifications exhibited by criminals deploying the Locky ransomware.
One core element of the information security mission is the successful assessment of the risk posed to an organization by a malware sample or malware variety delivered by a phishing email. In 2017, phishers have embraced the use of adaptable and flexible malware to gain initial footholds in a network before monetizing the infected host. The intersection of these two missions creates a scenario in which open-ended, adaptable botnet malware challenges information security professionals to prepare for a wide array of malware capabilities–in some case without much insight into the real risks posed by a malware tool.
However, in some cases a malware tool can reveal most, if not all, of its capabilities in a way that helps an organization identify malware risks. The Zeus Panda botnet malware is one of the more popular malware tools this year, and its use has been documented in numerous phishing attacks. It wholly embodies the principles of a multipurpose botnet tool by providing threat actors with a number of avenues for monetizing infected hosts. The tenacity and creativity with which threat actors have delivered this malware makes it a prominent constituent of the threat landscape but with limited expressions of its capabilities. Yet, understanding those capabilities is crucial for network defenders to understand the impact this malware can have within a protected environment.
Through analysis of behavior exhibited by Zeus Panda samples, PhishMe researchers uncovered a comprehensive assessment of this botnet tool’s capabilities. These capabilities were described through a list of module commands to either execute a task or update a module to support enhanced capabilities. The list below lists some operations for these modules.
|Zeus Panda module tasks|
|mod_execute grab2 user_cookies_get|
|mod_execute grab2 user_passes_get|
|mod_execute info get_info|
Figure 1 – Zeus Panda modules provide a great deal of information about its capabilities
These module execution and update references can be interpreted as a guide to the capabilities of the Zeus Panda malware. For example, “grab2 user_cookies_get” and “grab2 user_passes_get” both imply that information stored in a browser cookie cache or password safe may be available to the “grab2” module. This could provide an avenue for threat actors to steal browser-session data or passwords for reuse. Similarly, the “info” module may provide reconnaissance about infected environments via the collection of information about the infected host. This information can be in turn leveraged in conjunction with the “user_execute” command to customize an attack through the deployment of a more specialized malware tool.
Other available modules–“klog”, “pony”, and “socks”–imply keylogger, Pony information stealer, and SOCKS proxy capabilities are available to the threat actor. Each of these would greatly enhance the threat actor’s insight into victim activity, stored passwords and credential data, and the ability to abuse the infected machine as a network proxy or traffic relay respectively. Additionally, a series of VNC modules would give the threat actor an option for full remote control of infected hosts.
Each of these elements from this brief list of module execution and update operations can be used to provide network defenders and information security professionals with an assessment of the risks posed by Zeus Panda. Furthermore, if a sample of this malware is present within a protected environment, comparing network communications and endpoint artifacts with this list of capabilities can help in the response process as well.
As malware creators and phishing threat actors further commoditize malware tools to maximize their opportunities and options regarding infected hosts, collecting intelligence on the capabilities available to those threat actors becomes increasingly important. A comprehensive defense strategy must include response plans and anticipatory defenses to limit a malware’s impact as well as prevent its successful deployment. The first step is empowering email users to recognize phishing techniques and report suspicious emails. Beyond this crucial first step, responders must be empowered to understand the risks posed by the malware these emails deliver to better defend the enterprise.
Don’t become another statistic: PhishMe® is now FREE for small businesses under 500 employees. Learn more.
Make your nominations for the 2017 PhishMe® Excellence Awards today!
Every day, 1000s of companies use PhishMe as a cornerstone of their phishing defense program. The PhishMe Excellence Awards recognize the outstanding achievements of security professionals and organizations with innovative, successful anti-phishing and phishing defense programs to minimize the risk and impacts associated with phishing attacks.
When it comes to cyberattacks, small businesses are big targets. That’s why we recently introduced PhishMe® Free, a no-cost, easy-to-use version of our award-winning anti-phishing simulation solution.
Human Phishing Defense Solution Designed to Reduce SMB End-User Susceptibility to Phishing
LEESBURG, VA. – August 10, 2017 – Today PhishMe®, the leading provider of human phishing defense solutions, announced the availability of PhishMe Free™ – a no-cost phishing simulation solution for small businesses under 500 employees to condition employees and fortify their defenses against today’s advanced cyberattacks, such as ransomware, business email compromise and spear-phishing.
With 90 percent of network security breaches attributed to phishing attacks, no business – large or small – is immune to cyberthreats. Small businesses in particular are at risk, with more than 55 percent of SMBs having experienced a cyberattack in the past 12 months and 50 percent reporting a data breach. As widespread breaches continue to threaten businesses worldwide, organizations must adopt security measures that utilize human intelligence to protect critical assets.
“Every company – regardless of size or resources – should have access to effective cybersecurity solutions,” said Rohyt Belani, co-founder and CEO of PhishMe. “61% of cyberattacks target small and medium businesses (SMBs) and the ensuing damages cost, on average, $800,000 USD. To help such organizations shore up their defenses we created PhishMe Free. This solution is tailored specifically for companies with 500 employees or less. The goal is to help SMBs build a conditioned firewall of human sensors to act as a first line of defense against attacks that bypass traditional email filtering technologies.”
PhishMe Free leverages the foundational elements and expertise behind PhishMe Simulator, the leading anti-phishing solution that reduces end-user susceptibility to phishing attacks by up to 95 percent. Much like the company’s flagship product, PhishMe Free delivers simulated email campaigns that mimic real-life spear phishing scenarios and provide instant learning opportunities for recipients who fall for the exercises. It also equips IT teams with the tools needed to educate and engage employees in their efforts to thwart phishing attacks. Key benefits include:
- Fast deployment with an easy to manage SaaS application
- Reporting and analytics to easily view risk exposures and monitor progress
- Real results through a simplified enterprise- grade solution that delivers 18 templates and runs up to 12 scenarios per year
- Mimics real-life attack tactics with threat-based scenario content and training templates for end users
- Full access to PhishMe CBT modules, including four compliance modules and 17 interactive modules covering today’s biggest threats
“Today, small businesses are just as likely to be targeted by cyberattacks as large enterprises but the financial and reputation damages could be much more devastating,” notes Scott Crawford, research director for information security with 451 Research. “With organizations like PhishMe providing strong anti-phishing solutions catered to SMBs at no cost, more organizations can take the necessary steps to fortify their defenses to reduce the chances of phishing related breaches.”
Also included in the PhishMe Free license is access to PhishMe Community, an online customer portal where users can discuss product issues with PhishMe representatives and exchange ideas with fellow users, receive product support, access PhishMe’s exhaustive knowledge base, and learn more about the exciting things happening in the world of PhishMe.
For more information about PhishMe Free, please visit: https://cofense.com/pm-free.
PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report and mitigate spear phishing, malware and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision-making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare and manufacturing industries, as well as other Global 1000 entities that understand how changing user security behavior will improve security, aid incident response and reduce the risk of compromise.
 PhishMe, “PhishMe 2016 Enterprise Phishing Susceptibility and Resiliency Report”
 Ponemon Institute, “2016 State of Cybersecurity in Small and Medium-Sized Business,” June 2016.
 Ponemon Institute, “2016 State of Cybersecurity in Small and Medium-Sized Business,” June 2016.
Threat actors’ consistent pursuit of improved efficiency is a key characteristic of the phishing threat landscape. One method for improving efficiency is to use a unique delivery technique that not only allows threat actors to distribute malware but also succeeds in evading anti-virus software and technologies.
A ransomware victim must have a compelling reason to go through the burdensome process of obtaining Bitcoin and paying the ransom. For many victims, the threat of permanently losing access to their files is enough. However, some ransomware authors and criminals seek to push victims harder by raising the stakes even further.
A key part of phishing threat actors’ mission is to create email narratives and leverage malware delivery techniques that reduce the likelihood of detection. By combining compelling social engineering with seemingly benign content, threat actors hope to bypass technical controls and to convince their human victims of a phishing email’s legitimacy. One method with a long history of use is the abuse of Google Docs file sharing URLs to deliver malware content to victims. Because Google Docs and other cloud services may be trusted within an enterprise, threat actors will continue to abuse file sharing services to possibly bypass firewalls and anti-virus technologies.
Leesburg, Va. – June 28, 2017 – PhishMe® (cofense.com), the leading provider of human-focused phishing defense solutions, announced today that it has been awarded a 2017 Top Workplaces honor by The Washington Post. The Top Workplaces lists are based solely on the results of an employee feedback survey administered by WorkplaceDynamics, LLC, a leading research firm that specializes in organizational health and workplace improvement. Several aspects of workplace culture were measured, including alignment, execution, and connection, just to name a few.