Malware News Locky Ransomware, Kovter Click-Fraud Malware Spreading in Same Campaigns

[Exterminator]

Researchers at Microsoft’s Malware Protection Center have spotted malicious email campaigns using .lnk attachments to spread Locky ransomware and the Kovter click-fraud Trojan, the first time criminals have simultaneously distributed both pieces of malware.

According to Microsoft, the .lnk file now supports a potent script that contain links to multiple hardcoded domains from which it attempts to download either malware. A .lnk file is a shortcut file that points to an executable file. In this case, email recipients receive a .zip archive attachment that contains a .lnk file, that hides a versatile PowerShell script.

In October, Microsoft spotted cybercriminals switching from using malicious .wsf files in spam campaigns to ones using shortcut files (.lnk extension) that contain PowerShell commands to download and run Locky. At the time, Microsoft said this was notable because it signaled a strategy change by crooks who had been previously relying on the Trojan downloader Nemucod to distribute Locky.

In this most recent campaign, emails containing the .lnk file (contained inside the .zip file) attempt to trick recipients into opening the .zip file as part of a receipt for a spoofed U.S. Postal Service delivery email. If the .zip file is opened and the .lnk shortcut file is executed a PowerShell script is initiated, Microsoft said.

“The script contains the hardcoded domains and the parameters it uses for the download routine. For each attempt to download, it checks if the download is successful and if the downloaded file is at least 10KB. It stops trying to download when these conditions are met, or when it has gone through the five domains twice with no successful download,” wrote the Microsoft Malware Protection Center team.

The use of multiple domains is an obfuscation technique used to throw off URL filtering security solutions, Microsoft said. Instead of the script relying on one URL, that may be blacklisted, it can increase the odds of success by adding additional domains. “All the script needs is one URL that is not blocked in order to successfully download malware,” Microsoft wrote.

Additionally, cybercriminals “have the option to update the malware payload pointed to by the URLs, change the URLs in the script, or do both to try and evade detection,” according to Microsoft.

Since it began tracking, Microsoft notes that cybercriminals update the payload downloaded by the PowerShell script, sometimes on a daily basis. “During our testing, the malware payload was updated with newer versions of either Locky and Kovter, but technically the attackers can change this to any malware they wish to use,” it wrote.

To Microsoft, Locky and Kovter’s shared distribution suggests that the cybercriminals behind the attacks may also be selling or renting servers as pay-per-install service.

This is not the first times security researchers have seen Locky and Kovter so closely associated within a campaign. Last month, PhishMe researchers spotted an email campaign that contained a similar .zip archive that contained an obfuscated JScript file capable of downloading Kovter and Locky from compromised Joomla websites.

To avoid falling prey, Microsoft suggests Windows 10 users lock down PowerShell version 5 to “Constrained Mode.” This limits the extended language features that can lead to unverifiable code execution such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects, said Microsoft.

 

[_CyberGhosT_]

Crafty, but now that the lids off we know to be aware of
this type of distribution method.
Cool share Exterminator.

 

[jamescv7]

I think Microsoft should implement better security measures on those file associations including Powershell if no plans for abandonment, cause it technically trick out built in security features of a OS.

 

[_CyberGhosT_]

I think Microsoft should implement better security measures on those file associations including Powershell if no plans for abandonment, cause it technically trick out built in security features of a OS.

I agree brother, My powershell, all of it even the ise, cant access the internet

 

[DC47561]

Locky hit me pretty hard on a VM when I was testing Microsoft Security Essentials. Thankfully I had a snapshot and my files were backed up.

I agree brother, My powershell, all of it even the ise, cant access the internet

I like that - I personally filter any ports I can.

 

[Dirk41]

I was about to post this Improved scripts in .lnk files now deliver Kovter in addition to Locky
But then in saw the news was already posted so I am writing here

I want anyway to post some interesting things from MS blog:

Kovter is a complex malware whose file-less persistencemakes it more difficult to detect than traditional malware.

In Windows 10, lock down PowerShell version 5 to “Constrained Mode“, which limits the extended language features that can lead to unverifiable code execution such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects.

Enable Windows Defender in Windows 10 to get up-to-date, real-time protection against threats. PowerShell is deeply integrated with Antimalware Scan Interface (AMSI) in Windows 10 to allow registered antivirus software that support AMSI, like Windows Defender, to inspect content at runtime, enabling the antivirus software to detect malicious code regardless of obfuscation. Windows Defender detects the malicious PowerShell script as TrojanDownloaderowerShell/Ploprolo.Bor TrojanDownloaderowerShell/Ploprolo.C, and the payload as Ransom:Win32/Locky and Trojan:Win32/Kovter.

So defender finds kovter