US top diplomat indicates there has been little progress on the eve of trip to region in renewed bid to mediate crisis.

Introduction

I've seen Twitter traffic today about malspam from the Necurs Botnet pushing Locky ransomware using Word documents as their attachments.  These Word documents use the DDE attack technique, something I already wrote about in a previous diary covering Hancitor malspam on 2017-10-16.  Here's a link to My Online Security's writeup about today's malspam from the Necurs Botnet.

I opened one of the Word documents in my lab environment and found a 1st stage malware (presumably a downloader) and a 2nd stage malware (Locky) during the infection.  Today's diary reviews the traffic and malware.

Shown above:  Flow chart for the infection process.

Emails

Below is a copy from one of the emails.  If found several dozen of them; however, I only noticed 3 distinct Word documents from the attachments.

Shown above:  Screen shot from one of the emails.

Attachments

The email attachments exhibited characteristics similar to previous Word documents using the DDE attack method.

Shown above:  Opening the Word document in a test environment (1 of 3).

Shown above:  Opening the Word document in a test environment (2 of 3).

Shown above:  Opening the Word document in a test environment (3 of 3).

Network traffic

Traffic was a bit different than I've seen with recent attachments from the Necurs Botnet.  The first HTTP request returned a base64 string that contained further URLs for the 1st-stage malware download.  The second HTTP request returned the 1st-stage malware.  Two follow-up HTTP POST requests came from the 1st-stage malware with the User-Agent string Windows-Update-Agent.  Then came an HTTP POST request that returned the Locky ransomware binary.  The Locky binary was encoded as it passed through the network, and it was decrypted on the local host.

No callback traffic from the Locky binary was noted.  I just saw some more HTTP POST requests from the 1st-stage malware.

Shown above:  Traffic from the infection filtered in Wireshark.

Shown above:  First HTTP request returned a base64 string.

Shown above:  1st-stage malware downloaded.

Shown above:  1st-stage malware possible connectivity check.

Shown above:  1st-stage malware callback traffic to a probable command & control server.

Shown above:  Locky binary sent to the infected Windows host.

The infected Windows host

The infected host exhibited characteristics of a Locky ransomware infection.  The Locky binary deleted itself after the infection.  However, the 1st-stage malware was made persistent on the infected host, and I saw an update in the Windows registry for it.

Shown above:  Desktop of an infected Windows host.

Shown above:  Locky ransom cost was .25 bitcoin.

Shown above:  1st-stage malware persistent on my infected host.

Indicators

Traffic from my infected windows host:

• 66.36.173.246 port 80 - ryanbaptistchurch.com - GET /KJHDhbje71
• 62.212.154.98 port 80 - shamanic-extracts.biz - GET /eurgf837or
• ds.download.windowsupdate.com - POST /
• 77.123.53.200 port 80 - gdiscoun.org - POST /
• 180.222.185.74 port 80 - hair-select.jp - POST /fef44gddd.enc
• 77.123.53.200 port 80 - gdiscoun.org - POST /
• 77.123.53.200 port 80 - gdiscoun.org - POST /
• www.bing.com - GET /favicon.ico

Other URLs from the infected host:

• 84.234.64.216 port 80 - arkberg-design.fi - GET /KJHDhbje71
• 98.124.251.65 port 80 - alexandradickman.com - GET /KJHDhbje71
• 68.171.62.42 port 80 - centralbaptistchurchnj.org - GET /eurgf837or
• 175.107.146.17 port 80 - conxibit.com - GET /eurgf837or

Malspam attachments:

SHA256 hash:  3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126

• File size:  13,345 bytes
• File name:  i_[six random digits].doc
• File description:  attachment from the malspam

SHA256 hash:  ea132c34ebbc591eda78531e2bfb9a4cb40e55a245191f54e82df25be9b58db2

• File size:  13,341 bytes
• File name:  i_[six random digits].doc
• File description:  attachment from the malspam

SHA256 hash:  4a7f805f6b8fec64d3cf07c02a1d200c703ce4cc6ddf2dabd56ad9d6c936c603

• File size:   13,344 bytes
• File name:  i_[six random digits].doc
• File description:  attachment from the malspam

Malware from the infected Windows host:

SHA256 hash:  d2cca5f6109ec060596d7ea29a13328bd0133ced126ab70974936521db64b4f4

• File size:  116,482 bytes
• Initial location:  C:\Users\[username]\AppData\Local\Temp\rekakva32.exe
• Persistent location:  C:\Users\[username]\AppData\Local\Temp\{b291bae7-2824-ea5c-c352-94c8757176af}\a3W22f79.exe
• File description:  First-stage malware (checks in to C2 server/downloads Locky binary)
• Registry update:  KHCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

SHA256 hash:  4c054127056fb400acbab7825aa2754942121e6c49b0f82ae20e65422abdee4f

• File size:  651,264 bytes
• File location:  C:\Users\[username]\AppData\Local\Temp\a3W22f79.exe
• File description:  Second-stage malware, Locky ransomware

Final words

Standard disclaimer:  As always, it's relatively easy to follow best security practices on your Windows computer.  Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.

This is an interesting development, because it shows how the DDE attack technique has spread to large-scale distribution campaigns.  It's not new, and I'm not sure how effective it really is.  If you know of anyone who was infected from one of these DDE-based Office documents, please tell your story in the comments.

Pcap and malware samples for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sarah Jeong at The Verge has an interesting profile of William H. Alsup, the judge in Oracle v. Google case, who to many's surprise was able to comment on the technical issues that Oracle and Google were fighting about. Alsup admits that he learned the Java programming language only so that he could better understand the substance of the case. Here's an excerpt from the interview: On May 18th, 2012, attorneys for Oracle and Google were battling over nine lines of code in a hearing before Judge William H. Alsup of the northern district of California. The first jury trial in Oracle v. Google, the fight over whether Google had hijacked code from Oracle for its Android system, was wrapping up. The argument centered on a function called rangeCheck. Of all the lines of code that Oracle had tested -- 15 million in total -- these were the only ones that were "literally" copied. Every keystroke, a perfect duplicate. It was in Oracle's interest to play up the significance of rangeCheck as much as possible, and David Boies, Oracle's lawyer, began to argue that Google had copied rangeCheck so that it could take Android to market more quickly. Judge Alsup was not buying it. "I couldn't have told you the first thing about Java before this trial," said the judge. "But, I have done and still do a lot of programming myself in other languages. I have written blocks of code like rangeCheck a hundred times or more. I could do it. You could do it. It is so simple." It was an offhand comment that would snowball out of control, much to Alsup's chagrin. It was first repeated among lawyers and legal wonks, then by tech publications. With every repetition, Alsup's skill grew, until eventually he became "the judge who learned Java" -- Alsup the programmer, the black-robed nerd hero, the 10x judge, the "master of the court and of Java."

Read more of this story at Slashdot.

Anticipating clashes over alt-right leader's speech, Florida's governor declares a state of emergency.

Smokers in Hertfordshire, a county in southern England, are to be breathalysed to ensure they have kicked the habit before they are referred for non-urgent surgery. From a report, shared by several readers: Smokers will be breath-tested before they are considered for non-urgent surgery, two clinical commissioning groups (CCGs) have decided. Patients in Hertfordshire must stop smoking at least eight weeks before surgery or it may be delayed. Obese patients have also been told they must lose weight in order to have non-urgent surgery. The Royal College of Surgeons (RCS) said the plan seemed to be "against the principles of the NHS (the publicly funded national healthcare system for England)." A joint committee of the Hertfordshire Valleys and the East and North Hertfordshire CCGs, which made the decisions, said they had to "make best use of the money and resources available." Patients with a body mass index (BMI) of over 40 must lose 15% of their weight and those with a BMI of over 30 must lose 10%, or reduce it to under a 40 BMI or a 30 BMI - whichever is the greater amount. The lifestyle changes to reduce weight must take place over nine months.

Read more of this story at Slashdot.

Readers share a report: Even in the age of coal enthusiast President Donald Trump, clean-energy developers are finding plenty of interest in wind and solar power from businesses with sustainability targets, especially technology companies. That was on display in a video tweeted Thursday by Amazon.com Chief Executive Officer Jeff Bezos, as he christened the 253-megawatt Amazon Wind Farm Texas in Scurry County. Amazon has bought more than 1.22 gigawatts of output to date from U.S. clean-energy projects, second only to Alphabet's Google, with 1.85 gigawatts. Corporations have agreed to buy 1.9 gigawatts of clean power in the U.S. this year, according to Bloomberg New Energy Finance, and are on pace to match the 2.6 gigawatts signed last year.

Read more of this story at Slashdot.

Basic utilities for writing tests.

Extremely simple timed asynchronous events

Perl extension for computing the sunrise/sunset on a given day