2017-10-30 - NECURS BOTNET MALSPAM USES DDE ATTACK TO PUSH LOCKY

ASSOCIATED FILES:

 

SOME PRIOR DOCUMENTATION:

 

NOTES:

 


Shown above:  Same chain of events as we've been seeing.

 

EMAILS


Shown above:  Example of an email from this wave of malspam.

 

EMAIL HEADERS:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

OTHER URLS FROM THE WORD DOCUMENTS:

 

OTHER URLS TO RETRIEVE THE FILE DOWNLOADER:

 

TOR DOMAIN USED FOR LOCKY DECRYPTION:

 

FILE HASHES

WORD DOCUMENTS USING DDE ATTACK:

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Popup notification seen from Word document using DDE attack (1 of 3).

 


Shown above:  Popup notification seen from Word document using DDE attack (2 of 3).

 


Shown above:  Popup notification seen from Word document using DDE attack (3 of 3).

 


Shown above:  Desktop from an infected Windows host.

 


Shown above:  Ransom payment was .25 bitcoin.

 


Shown above:  Registry update to keep the initial malware persistent on the infected Windows host..

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.