Locky or TrickBot? Depends Where You Are. Malicious Payload Delivery Tailored by Geographic Location
BY NEERA DESAI AND VICTOR CORNELL
It is not uncommon for threat actors to deploy malicious payloads from multiple malware families during a single phishing campaign. These malware tools may include ransomware, a financial crimes trojan, or other botnet malware. However, it is not as common for those attackers to deploy different malware tools based upon the geographic location of their victim.
By using different tools, attackers open up multiple fronts where network defenders and information security professionals are presented with multiple potential threats to address at the same time. Without the help of sufficient context, could create a scenario that puts network defenders at a disadvantage.
On September 28, 2017, threat actors used a phishing narrative that claimed to deliver a scanned document needing the recipient’s attention. Attached to the message was a .7z archive containing a malicious VBScript application tasked with obtaining and running the Locky ransomware or the TrickBot banking trojan. What was unique in this campaign is that before executing the intended payload, the VBScript determines where the target is located.
Figure 1 — The VBScript will query the three websites in the array and then parse the JSON output before continuing to the next step
The VBScript begins by querying three websites that provide geo-IP services to determine where the target is located. Depending upon the location of the target, they will be delivered different malware. This script is designed to deliver the TrickBot malware to targets in Great Britain, United Kingdom, Australia, Luxembourg, Belgium and Ireland. If outside of those locations, the target receives the Locky ransomware. Figure 2 illustrates the list of countries to receive malware, followed by a list of payload locations used to distribute the TrickBot malware or the Locky ransomware.
Figure 2 — Six regions are included in the list for receiving TrickBot: Great Britain, United Kingdom, Australia, Luxembourg, Belgium, and Ireland
By employing a geographical based approach to deliver malware, this forces enterprise security professionals, especially those who support multi-national organizations, to formulate a response strategy may vary from region to region. This adds in an additional level of complexity as defenders must devise a security plan for each region of operation.
Involving actionable intelligence in the response planning phase can simplify this effort. By understanding the options for malware delivery, security professionals can realistically assess their options for defense and mitigation.
Regardless of the malware payload, it is crucial for organizations to develop a plan to address and respond to a potential attack against network infrastructure. Properly vetted threat intelligence allows an enterprise to be guided in the correct path for creating a response strategy to defend against intrusions. Actionable intelligence gives organizations and security professionals the ability to address potential threats and lowers the probability of business risks to an enterprise.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.