Improved scripts in .lnk files deliver Kovter and Locky

Topic

New Reply

Worthy of note.

Improved scripts in .lnk files now deliver Kovter in addition to Locky

https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/

msft-mmpcmsft-mmpcFebruary 2, 20170

Cybercriminals are using a combination of improved script and well-maintained download sites to attempt installing Locky and Kovter on more computers.

A few months ago, we reported an email campaign distributing .lnk files with a malicious script that delivered Locky ransomware. Opening the malicious .lnk files executed a PowerShell script that performed a download routine. More recently, we have found a more complex version of the script, delivering more malware from more download sites.

This new script has no less than five different hardcoded domains from which it attempts to download the payload malware. In addition to Locky, this script also now downloads Kovter.

The script attempts to access a specific location in the domains by using a parameter. It does this for all domains, one by one, until it is able to successfully download its payload. If unsuccessful in the first pass, it uses another parameter and goes through the five domains again. It exits after a second pass and still no successful download.

The use of multiple domains and the technique of storing the rest of the URL as a parameter is a way to circumvent URL filtering solutions. All the script needs is one URL that is not blocked in order to successfully download malware.

On the other hand, the use of specific parameters means the cybercriminals have complete control of the domains, whether they are compromised websites or were set up specifically for this purpose. More importantly, we observed that the malicious websites are updated with new versions of the malware payload every day.

This setup gives cybercriminals behind these attacks a great level of flexibility. They have the option to update the malware payload pointed to by the URLs, change the URLs in the script, or do both to try and evade detection.

Note: Woody I will move this once you have decided how you want to do it OR you can.

Best Regards,

Crysta

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Elly

Reply | Quote

Replies

Here’s the new security forum. I’m torn because Windows Patches are different from, but highly related to, security advisories. Perhaps some day we’ll get a patching/security guru to come in here and optimize the structure.

Not sure what a “Windows General” forum would look like. What would you like to see htere?

1 user thanked author for this post.

PhotM

Reply | Quote

What I was thinking of Woody was for articles that pertained to Windows in General, across all Generations/versions of Windows. Its like win32 Apps, up until recently they run on all Windows and they now have the UWP conversion to make that possible again. You have really already made that decision on specific Gens by opening up their base Forums. Now all you need to to is make “Windows” postable, at least to try this…..

By the Way, there is no “Subscribe” indication/Clickable in this Forum, including the Forum itself. there is this though for Posting ” Notify me of follow-up replies via email”.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

@Crysta
I was wondering if you might write a primer about Powershell, perhaps for the Windows topic page? Such basic information as: what it is, what it does, who has it… etc.
I’m sure some of our readers could find it useful, if you had the time.

Reply | Quote

Kristy,

I would love to, BUT I am such a novice!!!!

What I would suggest is, ask Woody to Reach out to Jeffery Snover @jsnover (father of Powershell) to do one OR direct us to one that he has already written that we could C&P. If I come across anything I will let you know so you can direct me where you want it.

One thing I could do is come up with a list of Videos that Jef has done on @CH9 or other places. This is where I am learning from(I think it is time I rewatch them ). Let me know by Email if you like. Woody has my Email address.

Are there any moderately advanced in Powershell & PS ISE Users/Devs/IT Pros/DevOps that could help use out here?

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Kirsty

Reply | Quote

Ok, first post, exciting!
imho you could just set the powershell execution in a domain by doing the below steps.

Within Group Policy, navigate to Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell and configure the Turn On Script Execution setting

I use this on the general PC OU and set my to require a signature.

Reply | Quote