Criminals have taken a liking to the idea of combining multiple types of malware into one distribution campaign. Malware Protection Center researchers discovered a string of email messages using malicious attachments to spread both Locky ransomware and the Kovter Trojan. It is not the first time these two types of malware are distributed in the same campaign, as dual-pronged spam campaigns have become more common as of late.
This morning we noticed the start of a campaign using New notice to Appear in Court as the email subject. The attachments are identical to the Typical .JS, .WSF, .lnk file inside a double zip. All the sites seen so far today are the same sites used in the USPS, FedEx, UPS current campaigns. I am sure that both campaigns will continue side by side. It is very likely that different “affiliates” are using the same distribution network, but each one prefers a different email lure to gain victims.
The attachments all start with a zip named along the lines of Notice_00790613.zip which contain another zip Notice_00790613.doc.zip which in turn contains Notice_00790613.doc.js
Criminals Step Up Malware Distribution
It is rather disconcerting to learn opening a malicious email attachment can introduce two different types of malware at the same time. As if the Locky ransomware is not annoying to deal with on its own, computer users will also be affected by the Kovter Trojan. This latter piece of malware specialized in click fraud, generating a lot of illegal advertisement revenue for criminals.
Through a malicious email attachment, criminals execute a script that contains links to multiple domains where the malware types are downloaded from. By making the attachment a .Ink file, the recipient may click it and have the payload download executed in the background. PowerShell scripts have become a fan favorite among criminals targeting Windows users these days, that much is certain.
Researchers discovered a total of five hardcoded domains in the script from where the malware can be downloaded. Both the Locky ransomware and Kovter Trojan payloads are hosted on these platforms, and it is expected more of these domains will continue to pop up over time. Although law enforcement agencies can take down these domains rather easily, criminals will not hesitate to create additional hosting solutions over time.
As one would expect from these spam email campaigns, the message in question is a fake receipt for a spoofed USPS delivery email. In the attached zip file, there is the malicious .Ink file , which initiates the PowerShell script once opened. One interesting aspect about this script is how it checks if the file is downloaded successfully and if is at least 10KB in size. Once that has been verified, it will stop the process automatically.
Microsoft researchers feel the use of multiple domain names to download the payload from is a powerful obfuscation technique. Blacklisting one specific URL is a lot easier than dealing with a handful of different domains. Moreover, this method seems to hint at how criminals can easily add more servers to download the malicious payloads from if they want to. A very troublesome development, to say the least.
Perhaps the most worrisome aspect of this new malware distribution campaign is how criminals continue to update the payloads themselves. Both Kovter and Locky receive regular updates, which means the development of ransomware and click-fraud Trojans is still going on behind the scenes. Moreover, it goes to show criminals will continue to rely on multi-pronged distribution campaigns for malware and ransomware moving forward.