Kelihos Delivering WildFire Locker Encryption RansomwareSo while doing the daily chores of Kelihos malware, we found an interesting behavior change that has never been seen before for Kelihos. The Kelihos botnet, which is famous for doing pharma spam predominantly for Canadian Health & Care Mall; pump & dump is delivering the WildFire Locker Encryption ransomware along with its regular pharma spam.
|Kelihos spamming in Dutch|
From: firstname.lastname@example.org Subject: Mislukte afleverpoging BT-32084 Transportbedrijf Buitink B.V. Westkanaaldijk 160 3542 DA Utrecht -------------------------- Geachte heer / mevrouw, Op donderdag 7 juli heeft een van onze chauffeurs omstreeks 11.30 geprobeert om een pakket af te leveren. Aangezien dit niet is gelukt willen wij u graag verzoeken om zo spoedig mogelijk een nieuwe afspraak te maken. U kunt een nieuwe afpsraak maken door het volgende formulier te downloaden, in te vullen en retour te mailen naar email@example.com
When translated to English, the message states:
Subject: Unsuccessful delivery attempt BT-32084
Transport Buitink B.V.
3542 DA Utrecht
Dear Sir / Madam,
On Thursday, July 7th at about 11:30 our drivers tried to deliver a package.
Since this was not successful, we would like to request to make a new appointment as soon as possible.
You can create a new appointment by downloading the following form to complete and return by email to firstname.lastname@example.org
(This form also contains delivery HINTS)
The information contained in this email message is automatically generated and intended solely for the addressee. Use of this information by anyone other than the addressee is prohibited.
The message informs recipients of an undelivered package and entices the user to click on the embedded link.
Once the victim clicks the embedded link and downloads the file, a Microsoft Word document is downloaded which contains malicious code to place a file representing the WildFire Locker Encryption Ransomware on the victim’s computer.
This hostile document performs the following two steps:
First, it asks the user, in both English and Dutch, to "Enable Editing":
Some very interesting choices of variable names! TonyMontanaZRanaJakmietana, Nazgul, MinasTirit, Gondor, KerryMcNot, LouiseBackdone, and VERYKINDVAR and seem rather unique. If you've seen them before, please leave a comment!
Once the macro is enabled, WildFire takes control of your machine and encrypts all the files with AES-256 CBC encryption.
The ransom note is displayed ot the victim and he or she is instructed to visit one of the TOR-hosted payment locations in order to purchase a decryption password. This password would be used to retrieve the files encrypted from the ransomware.
Some interesting observations from this data include several locations:
1. The Onion domain name, gsxrmcgsygcxfkbb[.]onion
2. A geoplugin URL, http:// www . geoplugin . net / xml.gp
We hope you will agree that this change in behavior of the payload of the Kelihos botnet was worth noting.
Thanks for the Guest Blog, Arsh!
For more details on this observation: Arsh Arora, MSCFSM, PhD student, ararora at uab.edu
(Arsh also runs the Facebook Group "Security Tips for Parents & Kids"
For more information about the Masters in Computer Forensics and Security Management at UAB, Gary Warner - gar at uab.edu