(Note: Read our latest comprehensive report on ransomware: Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene.)
We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers. This year, we’re seeing a spam campaign that Amazon customers need to be wary of. The fake emails pretend to be notifications from the online retailer that a purchase has been sent out for delivery. To appear legitimate, the emails may also spoof delivery companies.
These email messages start an infection chain that leads to a ransomware infection. You don’t want to find yourself at the end of this chain, because by then, your files will have been encrypted by the malware.
Figure 1: The Black Friday/Cyber Monday themed spam triggers an infection chain that leads to a ransomware infection
But, as it’s a chain of events, you can stop the infection at several points. Let’s trace the infection chain:
- The email is a fake Amazon notification. You can detect that it’s fake, because even if it tries to look as legitimate as possible, it still doesn’t look like the usual Amazon email. Amazon lists components of a fake email here: https://www.amazon.com/gp/help/customer/display.html?nodeId=15835501
- The downloaded file is a ransomware detected as Ransom:Win32/Locky.A. Windows Defender detects this malware.
Locky is a ransomware family that encrypts files using a public key. It’s been known to be spread by the downloader Nemucod. We have been tracking the Nemucod-Locky tandem, and we have seen it evolve over time, changing attachment file names and social engineering lures. This Black Friday/Cyber Monday version is just the latest of what looks like a continuous campaign.
Here are samples of the fake Amazon email messages:
Figure 2: A sample fake Amazon email that also spoofs Royal Mail as the courier
Figure 3: A sample fake Amazon email that also spoofs FedEx as the courier
Figure 4: A sample fake Amazon email that also spoofs DHL as the courier
In what looks like an attempt to evade anti-spam solutions that depend on the hash of the email body, the character "=" is added in random places in the email. The malware authors could have reused the message from a previous spam campaign, and needed only to change the positions of the added character. This changes the hash of the email body, and it might prove effective against some email filters.
- hxxp:// livingnetwork .co.za/hfvg623?zvMNzYWImo=zvMNzYWImo
- hxxp:// ayurvedic .by/hfvg623?zvMNzYWImo=zvMNzYWImo
- hxxp:// marcelrahner .com/hfvg623?zvMNzYWImo=zvMNzYWImo
- hxxp:// copeigoan .net/hfvg623?zvMNzYWImo=zvMNzYWImo
- hxxp:// sheerfoldy .com/hfvg623?zvMNzYWImo=zvMNzYWImo
Ransom:Win32/Locky.A encrypts files and renames them to this format: [victim computer ID] – [hexadecimal file identifier].aeris. The extension .aeris is the latest in a list that Locky has used for the files it encrypts: .locky, .zepto, .odin, .shit, and .thor.
The ransomware assigns an ID to the victim computer, which it uses for the file name of encrypted files. It then connects to command-and-control (C&C) servers to report this ID and other information about the infected computer.
It drops the following ransom note, which instructs the victim to pay to regain access to the files: %Desktop%\-INSTRUCTION.bmp:
Figure 7: Ransom:Win32/Locky.A leaves this ransom note
The malware analyzed for the blog post have the following SHA1:
- Ransom:Win32/Locky.A (Decrypted payload)
Prevention and mitigation
To avoid falling prey to this new ransomware, here are some tips:
For end users
- Use an up-to-date, real-time antimalware product, such as Windows Defender for Windows 10.
- Think before you click. Do not open emails from senders you don’t recognize. Upload any suspicious files here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx. This campaign spoofs Amazon and the delivery companies Royal Mail, DHL, and FedEx. The attachment is a ZIP file, which may be a common attachment type, but it contains a .JS file. Be mindful of what the attachment is supposed to be (in this case, most likely a document) and the actual file type (a script).
For IT administrators
- Use Office 365 Advanced Threat Protection. It has a machine learning capability to help your network administrators block dangerous email threats. See the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.
- Use Windows Defender Advanced Threat Protection to help detect, investigate, and respond to advanced and targeted attacks on your enterprise networks.
- Use the AppLocker group policy to prevent dubious software from running.
Duc Nguyen and Wei Li