{"id":8794,"date":"2017-08-17T14:40:01","date_gmt":"2017-08-17T22:40:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/17\/news-2567\/"},"modified":"2017-08-17T14:40:01","modified_gmt":"2017-08-17T22:40:01","slug":"news-2567","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/08\/17\/news-2567\/","title":{"rendered":"Locky Launches a More Massive Spam Campaign with New \u201cLukitus\u201d Variant"},"content":{"rendered":"<p><strong>Credit to Author: Joie Salvio, Rommel Joven and Floser Bacurio| Date: Thu, 17 Aug 2017 21:37:00 +0000<\/strong><\/p>\n<div class=\"entry\">\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/kadena_locky.png\" style=\"width: 600px; height: 346px;\" \/><\/p>\n<p>It has just been a week since the variation of Locky named <a href=\"http:\/\/blog.fortinet.com\/2017\/08\/14\/locky-strikes-another-blow-diablo6-variant-starts-spreading-through-spam\">Diablo6<\/a> appeared. Now it has launched another campaign more massive than the previous. This time, it uses &ldquo;.lukitus&rdquo;, which means &ldquo;locking&rdquo; in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet&rsquo;s advanced &nbsp;<em>Kadena Threat Intelligence System <\/em>(KTIS) (1)<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/figure%201_locky.png\" style=\"width: 453px; height: 167px;\" \/><\/p>\n<p align=\"center\"><em>Fig. 1 Encrypted files with .lukitus extension<\/em><\/p>\n<h1 align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/figure%202_locky.png\" style=\"width: 500px; height: 352px;\" \/><\/h1>\n<p align=\"center\"><em>Fig. 2 Familiar Locky ransom note<\/em><\/p>\n<h3>Same Locky, More Spam<\/h3>\n<p>This new campaign has launched over four times the number of email samples, we have collected from different sources, compared to the previously discovered .diablo6 campaign.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/figure%203_locky.png\" style=\"width: 650px; height: 308px;\" \/><\/p>\n<p align=\"center\"><em>Fig. 3 Spam campaign emails of .lukitus variant<\/em><\/p>\n<p>This campaign uses the following email subjects and attachment names:<\/p>\n<div style=\"clear:both;\">&nbsp;<\/div>\n<style type=\"text\/css\">table, th, td {      border: 1% solid black;  }  <\/style>\n<div style=\"clear:both;\">&nbsp;<\/div>\n<p>As in the previous campaign, the spam emails distributed in this campaign include an attached archive file (zip or rar) that contains a malicious Javascript or VBS script. Once opened, this attachment downloads the Locky payload. The following screenshot taken from KTIS summarizes this attack chain.<\/p>\n<p align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/figure%204_locky.png\" style=\"width: 550px; height: 634px;\" \/><\/p>\n<p align=\"center\"><em>Fig. 4 Infection chain of .lukitus variant<\/em><\/p>\n<p>In addition, the attack chain shows that some of the compromised download sites used in the previous campaign are still active, and arenow &nbsp;being used to host this new variant.<\/p>\n<p>Interestingly enough, this campaign seems to have been distributed mostly to Austria. In the previous campaign, Austria and the United States were virtually tied for the top spot.<\/p>\n<h1 align=\"center\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/figure%205_locky.png\" style=\"width: 650px; height: 214px;\" \/><\/h1>\n<p align=\"center\"><em>Fig. 5 Spam distribution of .lukitus variant<\/em><\/p>\n<p>Other new items observed in this variant include a change in the C&amp;C&rsquo;s URI from <em>&ldquo;\/checkupdate.php&rdquo; <\/em>to <em>&ldquo;\/imageload.cgi,&rdquo; <\/em>and it now uses <em>&lsquo;3&rsquo; <\/em>as its affiliate ID. This affiliate has been observed distributing Locky through spam emails containing an attached compressed Javascript or VBS downloader since last year.<\/p>\n<h3>Solution<\/h3>\n<ol>\n<li>FortiMail blocks all spam emails.<\/li>\n<li>FortiGuard Antivirus service detects Locky samples as W32\/GenKryptik.APXF!tr.<\/li>\n<li>FortiGuard Webfilter service blocks and tags all download URLs as malicious.<\/li>\n<li>FortiSandbox rates the Locky samples as High Risk.<\/li>\n<\/ol>\n<h3>Conclusion<\/h3>\n<p>This is the first massive Locky campaign that we&rsquo;ve seen in a few months. Combined with the release of a different variants just the week before, this is starting to look like an ominously familiar cycle.<\/p>\n<p>FortiGuard Lion Team will keep everyone posted.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<h3>IOC<\/h3>\n<pre>  <code>Locky Hashes:  29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035  89b769aac22faff618eb51f3b7a5b1a81790018af53630fe65e57bdf7010e735  935f4544820aa478b093ad309f46d09d92a028f7bba606a0f8c8f53b8e1f9b7a  3429c9d44de9aa8c3241601c51dc96ee82fdb4f416bb41c7b64b9ae954dce0c0  faba6d095b4a250e1fa098d7c2f5a6a1a263c409e1c2c30eefad5cedcabdf9d0  <\/code><\/pre>\n<pre>  <code>C&amp;C:  91.228.239.216  31.202.128.249  185.80.148.137  192.162.103.213  109.237.111.179  78.108.93.185  185.75.46.220  185.17.120.130  <\/code><\/pre>\n<p>&nbsp;<\/p>\n<p>https:\/\/github.com\/fortiguard-lion\/LockyIOCs\/blob\/master\/Locky_Lukitus_IOC.txt<\/p>\n<div>\n<hr align=\"left\" size=\"1\" width=\"33%\" \/>\n<div id=\"ftn1\">\n<p>[1]&nbsp;Fortinet&#39;s&nbsp;<em>Kadena Threat Intelligence System<\/em>&nbsp;(KTIS) is an interactive platform that extracts contextual information from files, URLs, and other artifacts for more accurate malware identification, fast-tracked analysis, detailed analytics, and easier data correlation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div<br \/><a href=\"https:\/\/blog.fortinet.com\/2017\/08\/17\/locky-launches-a-more-massive-spam-campaign-with-new-lukitus-variant\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/kadena_locky.png\"\/><\/p>\n<p><strong>Credit to Author: Joie Salvio, Rommel Joven and Floser Bacurio| Date: Thu, 17 Aug 2017 21:37:00 +0000<\/strong><\/p>\n<p>It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses \u201c.lukitus\u201d, which means \u201clocking\u201d in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet\u2019s advanced \u00a0Kadena Threat Intelligence System [1](KTIS)        Fig. 1 Encrypted files with .lukitus extension        Fig. 2 Familiar Locky ransom note    Same Locky, More Spam    This&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-8794","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8794"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8794\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}