This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Malspam delivers Diablo6 Locky ransomware

AhmedSonbol1
Employee
Employee
‎2017-08-14 06:15 PM

A malspam campaign was noted on Friday August 11th 2017 delivering "Diablo6", a variant of Locky ransomware. The new variant is named after the extension of the encrypted files on a victim machine. It is delivered via PDF documents with attached malicious Word documents. RSA FirstWatch discussed this delivery mechanism before and shared detection techniques using NetWitness Packets and the hunting pack. In this threat advisory we will discuss the network behavior of the recent campaign.

 

Here is an example of a delivery document. It has an attached Word document which in turn has a malicious macro. Social engineering is needed to lure the victim to bypass built-in measures in Adobe Reader and Microsoft Word in order to eventually run the malicious macro.

 

diablo6-pdf.png

 

Submitting the PDF document (SHA256: e58662121738a24edf2341a4344a237d711fdb025dbe0a8f208205d99723209ato RSA pre-release What's This File service shows a medium threat score. It also displays information about embedded Javascript code to try to auto launch the attached Word document:

 

diablo6-wtf-1.png

 

diablo6-wtf-2.png

The embedded Word document itself (SHA256: e853432940466040561d30e2ee81a5e9785d64e6bead19372a9f585745a934fd) has a high threat score with different suspicious characteristics:

 

diablo6-wtf-3.png

 

The VBA code reaches out to a delivery domain in order to download a payload, in this case a Locky ransomware variant (SHA256: 5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e). Analysis report from hybrid-analysis.com can be found here

 

diablo6-nw-session.png

 

diablo6-nw-files.png

 

NetWitness Packets tagged the download sessions with the following meta values:

 

diablo6-nw-investigate.png

 

The network behavior was shared among different infected systems indicating an active campaign:

 

diablo6-nw-sessions.png

 

After a time delay, the executable starts to encrypt the files on the victim machine, then changes the desktop background and displays a note with the necessary instructions to pay the ransom before deleting itself from the system. The time delay is most likely used to evade sandbox technologies:

 

diablo6-ransom-note.png

 

diablo6-desktop.png

 

This Locky variant asks for 0.5 BTC to decrypt the victim files:

 

diablo6-bitcoin.png

 

NetWitness Endpoint shows the following module IIOC's and tracking data for the ransomware:

 

diablo6-ecat.png

 

All the delivery domains from this campaign will be added to FirstWatch C2 domains on Live with the following meta values:

  • threat.source = 'rsa-firstwatch'
  • threat.category = 'malspam'
  • threat.description = 'delivery-domain'

 

Previous RSA Link articles on Locky:

© 2022 RSA Security LLC or its affiliates. All rights reserved.