Shares 504 Views

New Spam Campaign Distributes Locky Ransomware and Kovter Trojan Simultaneously


Criminals have taken a liking to the idea of combining multiple types of malware into one distribution campaign. Malware Protection Center researchers discovered a string of email messages using malicious attachments to spread both Locky ransomware and the Kovter Trojan. It is not the first time these two types of malware are distributed in the same campaign, as dual-pronged spam campaigns have become more common as of late.

Criminals Step Up Malware Distribution

It is rather disconcerting to learn opening a malicious email attachment can introduce two different types of malware at the same time. As if the Locky ransomware is not annoying to deal with on its own, computer users will also be affected by the Kovter Trojan. This latter piece of malware specialized in click fraud, generating a lot of illegal advertisement revenue for criminals.

Through a malicious email attachment, criminals execute a script that contains links to multiple domains where the malware types are downloaded from. By making the attachment a .Ink file, the recipient may click it and have the payload download executed in the background. PowerShell scripts have become a fan favorite among criminals targeting Windows users these days, that much is certain.


Researchers discovered a total of five hardcoded domains in the script from where the malware can be downloaded. Both the Locky ransomware and Kovter Trojan payloads are hosted on these platforms, and it is expected more of these domains will continue to pop up over time. Although law enforcement agencies can take down these domains rather easily, criminals will not hesitate to create additional hosting solutions over time.

As one would expect from these spam email campaigns, the message in question is a fake receipt for a spoofed USPS delivery email. In the attached zip file, there is the malicious .Ink file , which initiates the PowerShell script once opened. One interesting aspect about this script is how it checks if the file is downloaded successfully and if is at least 10KB in size. Once that has been verified, it will stop the process automatically.

Microsoft researchers feel the use of multiple domain names to download the payload from is a powerful obfuscation technique. Blacklisting one specific URL is a lot easier than dealing with a handful of different domains. Moreover, this method seems to hint at how criminals can easily add more servers to download the malicious payloads from if they want to. A very troublesome development, to say the least.

Perhaps the most worrisome aspect of this new malware distribution campaign is how criminals continue to update the payloads themselves. Both Kovter and Locky receive regular updates, which means the development of ransomware and click-fraud Trojans is still going on behind the scenes. Moreover, it goes to show criminals will continue to rely on multi-pronged distribution campaigns for malware and ransomware moving forward.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.


You may be interested

Bitcoin Exchange
shares6 views

Most of Bitcoin’s Trading Volume is FAKE: Time to Wake the F*** Up?

Brian Evans - Mar 24, 2019

Hands up, anyone who is surprised that a little-known crypto exchange that apparently had the largest bitcoin trading volume on CoinMarketCap has been exposed as a wash…

Binance
shares6 views

Binance Changes Launchpad Token Sale Format to Lottery

Brian Evans - Mar 24, 2019

The Binance Launchpad format has been radically changed by the cryptocurrency exchange

Altcoin News
shares4 views

Sluggish Bitcoin Price Creates Bullish Opportunities for Wider Crypto Market: Trader

Brian Evans - Mar 24, 2019

In the past 24 hours, the Bitcoin price has remained stable above the $4,020 mark, unable to break out above a key resistance level at $4,200. Meanwhile,…

Most from this category

%d bloggers like this: