Criminals have taken a liking to the idea of combining multiple types of malware into one distribution campaign. Malware Protection Center researchers discovered a string of email messages using malicious attachments to spread both Locky ransomware and the Kovter Trojan. It is not the first time these two types of malware are distributed in the same campaign, as dual-pronged spam campaigns have become more common as of late.
Criminals Step Up Malware Distribution
It is rather disconcerting to learn opening a malicious email attachment can introduce two different types of malware at the same time. As if the Locky ransomware is not annoying to deal with on its own, computer users will also be affected by the Kovter Trojan. This latter piece of malware specialized in click fraud, generating a lot of illegal advertisement revenue for criminals.
Through a malicious email attachment, criminals execute a script that contains links to multiple domains where the malware types are downloaded from. By making the attachment a .Ink file, the recipient may click it and have the payload download executed in the background. PowerShell scripts have become a fan favorite among criminals targeting Windows users these days, that much is certain.
Researchers discovered a total of five hardcoded domains in the script from where the malware can be downloaded. Both the Locky ransomware and Kovter Trojan payloads are hosted on these platforms, and it is expected more of these domains will continue to pop up over time. Although law enforcement agencies can take down these domains rather easily, criminals will not hesitate to create additional hosting solutions over time.
As one would expect from these spam email campaigns, the message in question is a fake receipt for a spoofed USPS delivery email. In the attached zip file, there is the malicious .Ink file , which initiates the PowerShell script once opened. One interesting aspect about this script is how it checks if the file is downloaded successfully and if is at least 10KB in size. Once that has been verified, it will stop the process automatically.
Microsoft researchers feel the use of multiple domain names to download the payload from is a powerful obfuscation technique. Blacklisting one specific URL is a lot easier than dealing with a handful of different domains. Moreover, this method seems to hint at how criminals can easily add more servers to download the malicious payloads from if they want to. A very troublesome development, to say the least.
Perhaps the most worrisome aspect of this new malware distribution campaign is how criminals continue to update the payloads themselves. Both Kovter and Locky receive regular updates, which means the development of ransomware and click-fraud Trojans is still going on behind the scenes. Moreover, it goes to show criminals will continue to rely on multi-pronged distribution campaigns for malware and ransomware moving forward.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.
You may be interested
Buy Bitcoins in Europe With Bitmoney.euBrian Evans - Aug 10, 2017
Want to purchase bitcoins? Look no further! Buying bitcoins has never been easier, with Bitmoney.eu. Bitmoney.eu makes the process of buying Bitcoin easy and efficient, saving customers…
Goldman Sachs: ‘Real Dollars Are at Work’ in Cryptocurrency MarketsBrian Evans - Aug 10, 2017
Goldman Sachs has published a question-and-answer report focused on cryptocurrencies in which it suggests that clients should be keeping a closer eye on the market. According to…
Bitcoin’s Present Bubble Might Actually be the Beginning of Mainstream AdoptionBrian Evans - Aug 09, 2017
Bitcoin’s enthusiasts are torn between whether to celebrate Bitcoin’s arrival in the foothills of mass adoption, or to lament the upcoming burst that always happens with asset…