I'm pleased to have Arsh Arora return with another guest blog about his findings as he continues to observe the Kelihos botnet. Arsh recently received his Masters in Computer Forensics and Security Management in our program at UAB and has chosen to continue his malware research as a PhD candidate.
Kelihos botnet delivering CryptFlle2 Ransomware with theme AmericanAirlines
By Arsh Arora
When we saw the Kelihos botnet delivering ransomware last month on July 8th, we sat up and took notice. The Kelihos botnet has a long history of delivering pharma spam and stock market manipulation spam (pump-n-dump), but now it was spamming the WildFire ransomware. ( See: http://garwarner.blogspot.com/2016/07/kelihos-botnet-delivering-dutch.html ) I
was under the impression that it was one of the occasional gimmicks observed with
Kelihos where they try something a single time and then move on. I assumed that some script kiddies were testing new ransomware techniques.
Unfortunately, I was wrong and Kelihos hit back with CryptFIle2 encryption
ransomware.
To attract people to their ransomware, this campaign used subject
lines imitating American Airlines specifically to attract customers. The URLs
listed below are the locations that were sent in the spam email along with its corresponding
subject lines:
hxxp://dataupllinks[.]top/nfdk/ticket1845[.]doc - Free
Fly with AmericanAirlines
hxxp://ftp[.]dataupllinks[.]top/edsf/tick-873[.]doc - Bonus from AmericanAirlines
hxxp://ftp[.]filesgigastor[.]top/23tf/disc_tick-235[.]doc - AmericanAirlines free 100$
hxxp://www[.]webdataupllinks[.]net/rety/tick-834[.]doc - AmericanAirlines discount
The following is the email that the victim receives and
is inclined to check out the special travel prices for his/her favorite
vacation spots.
 |
| Figure 1 - American Airlines Discounts |
Several subject lines were used, including:
- Subject: Bonus from AmericanAirlines
- Subject: AmericanAirlines free 100$
- Subject: AmericanAirlines discount
- Subject: Free fly with AmericanAirlines
Subject: AmericanAirlines discount
Traveling with the world's largest airline shouldn't have to be expensive. That's why at Ctrip, we are
bringing you our lowest prices yet for flights with American Airlines.
>>> DOWNLOAD FREE DISCOUNT 100$ TICKET:
*Prices exclude taxes and fees.
Los Angeles - Las Vegas from 88$
Las Vegas - Los Angeles from 198$
New York - Chicago from 192$
Toronto - Hong Kong from 923$
Los Angeles - Shanghai from 832$
Toronto - Beijing from 958$
Chicago - Beijing from 712$
Boston - Beijing from 1,077$
Boston - Shanghai from 1,060$
Chicago - Shanghai from 845$
Atlanta - Beijing from 1,581$
Chicago - New York from 221$
Los Angeles - New York from 440$
New York - Toronto from 220$
New York - Miami from 177$
New York - Orlando from 203$
Seattle - Los Angeles from 145$
New York - Los Angeles from 366$
Los Angeles - San Francisco from 186$
>>> DOWNLOAD FREE DISCOUNT 100$ TICKET:
hxxp://www[.]webdataupllinks[.]net/rety/tick-834[.]doc
Terms and Conditions:
Prices are correct at time of publication and are subject to availability and change. Please see
english.ctrip.com to confirm availability, prices, and applicable terms and conditions. Flights for
certain dates may be sold out. In this event, please try to enter another flight date. Airlines reserve
right to adjust prices and control seat availability according to sales situation. Final fare based on
airline's actual sale price. Seat availability subject to airlines. Special fares may be subject to
strict change, refund and endorsement conditions. Please refer to conditions of confirmed booking for
details. Ctrip.com International Ltd. (CTRP) reserves all rights of final interpretation.
The prices are striking enough to entice the victim to click
the link. Once the link is clicked, a pop up is shown to download a Word
document. Although the user is unaware that the Word document contains hostile
code, Microsoft Word document delivery is one of the more common ways of
distributing malware.
Once the download is complete the victim opens the
document. The document follows a similar pattern as it used in the previous
ransomware sent by Kelihos. The Word document is opened in ‘Protected View’ and
seeks the user to ‘Enable Editing’ to view the document.
 |
| Figure 2 - "Protected Document" |
After clicking the ‘Enable Editing’ box, another window
asks to ‘Enable Macros’, aka the “ENCRYPT ME” button.
 |
| Figure 3 - "Enable Editing AKA Encrypt Me!" |
After clicking the ‘Enable Content’ button, it shows the
following message.
 |
| Figure 4 - Looks like a Word Document! |
This behavior is the first of its kind observed in Word
documents delivering malware. Generally, there is no content in the Word
document and the malware infects the victim’s machine within minutes if not
seconds.
The feature makes the Word document seem like a legit
file and distracts the user while the malware contacts its command and control
center and encrypts files in the background.
As soon as you complete reading, you realize that your
computer has been encrypted by CryptFIle2 encryption ransomware.
 |
| Figure 5 - You are now ENCRYPTED |
An interesting feature about the ransom note is that the
threat actors have evolved their technique for obtaining ransom payment. As it
can be seen, there is no mention of Tor-hosted or Onion-domain payment
websites. Instead, it has 2 email addresses in which the victim can email the
threat actor directly to pay the ransom. The email addresses are:
westbors@oath[.]com
gobas@inorbit[.]com
gobas@inorbit[.]com
This seems fool-hardy and not very sophisticated, but the American Airlines lure will certainly gain some victims! This is phenomenally different behavior than the previous
WildFire ransomware. The text displayed after enabling Macros is a
significant change in the Word document that spread ransomware.
Other interesting observations found are:
- . MD5 hash of the Word document - 4fde04b25ea20b6ab30c5e4984e01afc
- . Website mentioned in the Word document – english[.]ctrip[.]com
- . Payload location: hxxp://216[.]170[.]126[.]3/wfil/file[.]exe
- hxxp://216[.]170[.]118[.]4/default[.]jpg
- Command & Control Center: hxxp://216[.]170[.]118[.]4/wes/offers[.]php
Thanks for that guest post, Arsh! Be on the lookout for a new paper about the spam campaigns of Kelihos at an upcoming conference based on Arsh's studies.
Posts
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.