Following on from these [ FEDEX ] [ USPS ] posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are reused daily until taken down by their hosts. All the sites used in this malware spreading campaign are hacked / compromised WordPress, magento e-commerce, Joomla, Drupal or other CMS sites. Quite a high proportion are e-commerce sites selling things and accepting credit cards on the sites. If these sites are being hacked and compromised to spread malware, then what else is happening? It is more than possible that other criminal gangs could also be using the same vulnerabilities and stealing any information, credit cards, email addresses, passwords etc. that are unloaded to these sites. Some of these sites are listed in Google Safe Browsing and get warnings when they appear in Google searches, but the majority do not.
When the malware gangs compromise & effectively take over the site to spread their malware, sometimes the site remains working properly, sometimes you get php errors like these screenshots, Sometimes you get a plain white screen with no content.
It is extremely difficult to convince the website owner, that still has a working website, that they have been compromised. An extremely high proportion of them just ignore the reports and do an ostrich impersonation ( bury their head in the sand). The big danger with this is that, if one gang have taken over the site, then other gangs / hackers/ criminals also can and do. The sites get enrolled into botnets and used for spam sending or black hat SEO link spam.
The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files ( apart from the original counter.js) pretend to be png ( image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the second counter.js you need to change the &r=01 at the end of the url to &m=01 ( or 02-05). This second counter.js contains additional sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.
I only accidentally found out about the second /3rd /4th /5th counter.js when I made a mistake in manually decoding the original wsf file ( and the original counter.js) and mistyped/ miscopied the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and blocked by an antivirus or web filter service.
Even though every wsf file that is received has a different set of “commands” encoded in the file, they all follow the pattern of the below /counter/? Any set of commands that has the same structure will deliver the malware payload. The set listed below was from 25th December and still works on every site that is listed here.
Update 7 January 2017: Some of the sites listed are still being updated daily with new malware versions of Kovter and Locky. Others have been abandoned by the malware gang but still contain old versions of these malwares. As far as I can tell, most of these sites are still active and involved in spreading malware. Very few seem to get cleaned up, despite reports to the “owners”. They seem to think what is not easily seen isn’t there. More compromised sites get added daily.
Update 24 January 2017: Quite a change today, now using .lnk files inside the zip to run powershell to download the malware. Still using the same sites, just making it slightly harder to detect them. VirusTotal[ zip containing the lnk file & a renamed .txt file P/W “infected” Undelivered-Package-000989863.doc ]
I am not currently seeing any counter.js files on any live sites today only the Locky & Kovter malware themselves Locky ( VirusTotal ) Kovter ( VirusTotal) along with the usual 2 innocent php interpreter files
Update 2 February 2017: only 2 sites embedded inside each .lnk file, instead of the usual 5
Update 3 February 2017: switched back to using wsf files today. Still only 2 hardcoded urls inside the wsf file . They have also switched to spoofing UPS instead of USPS and FedEx VirusTotal    Payload Security   
2nd Update 3 February 2017: now using lnk files again
4 February 2017: now using .JS files inside the zips. Still only 2 hardcoded URLS not 5 but now back to using files on remote server with additional 5 download sites which in turn downloads the Locky & kovter from the next site on the list using /counter/?. These new js / txt files are quite heavily obfuscated with lots of extraneous junk. Payload Security
Update 5 February 2017: they are also using spoofed Court Notices as the email subjects today,
We have noticed that an extremely high number of these compromised sites are hosted by Godaddy. see TXT list of sites between 21 Jan and 6 Feb. 2017. 39/79 sites are Godaddy hosted. That approximately 50% and although Godaddy does host lots of sites, this level of compromised sites suggests vulnerabilities or exploits on the Godaddy network. There are just too many for there to be individual site exploits. This either means Godaddy have a lot of outdated WordPress and other CMS installs on the network ( with known vulnerabilities) or there is an underlying security hole / exploit on some of the Godaddy servers. Several sites don’t appear to be using a CMS at all and just have a default Godaddy html holding page that can be altered by the user.
Update 1 March 2017: they have messed up a bit today. The apprentice sending the emails has attached the js files to the emails rather than using zips. That means just about every copy of them will be blocked, either by mailservers or by the email client on the computer, which generally don’t allow .js files to be opened or viewed direct from outlook, Windows live mail, thunderbird etc.
Update 4 March 2017: looks like a difference today with the downloaded files. What is usually Locky looks like Cerber ransomware ( VirusTotal) ( Payload Security). The kovter downloader that installs loads of other malware looks “normal” ( VirusTotal) ( Payload Security)
Update 8 March 2017: Back to Locky and Kovter again today. UPS-Parcel-ID-006611646.doc.js VirusTotal | Payload Security . 1.exe ( Locky) VT | Payload Security 2.exe ( kovter) VirusTotal | Payload Security
Update 15 March 2017: using nemucod ransomware again today but also delivering Locky & kovter as backup. UPS-Parcel-ID-1270246.doc.js VirusTotal | Payload Security . 1.exe ( Locky) VT 2.exe ( kovter) VirusTotal
Update 16 March 2017:
In today’s version as you can see from the Payload Security report, it just downloads the same “innocent” file from each location in the “var x” when it is supposed to download the different malware files from each site.
The more obfuscation and tricks the bad guys try to avoid detections they more often they introduce bugs and typos that work in our favour and stop the malware being downloaded and run. The phrase that was drummed into me in early days of learning any sort of coding was K I S S . ( Keep it simple stupid)
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR | Payload Security . If “var m” ends in a character a-z, you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky or occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 ( when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files.
As you can see from the online sandbox reports the failure to K I S S is working well again today and all sites are downloading a 0 byte harmless empty file
Update 27 March 2017: Today has switched from nemucod ransomware to Cerber ransomware and Kovter
FedEx-Delivery-Details-ID-BPZ28KH8.doc.js VirusTotal | Payload Security | delivers 1.exe ( virustotal) ( MALWR ) 2.exe ( VirusTotal)
Update 31 March 2017: Looks like a difference in the malware payload again today. UPS-Delivery-Details-004413100.doc.js VirusTotal | Payload Security | delivers a1.exe ( when downloaded via Payload Security) ( virustotal) Payload Security which is an unknown malware that is downloading a genuine chrome updater | a2.exe ( VirusTotal) which is definitely Kovter / Powerliks
A manual download of 1.exe gave me VirusTotal | Payload Security | MALWR Which is definitely Cerber. So it looks like they are offering different payloads if they detect a sandbox analysing the files.
Update 17 April 2017: back to nemucod ransomware today. VirusTotal | Payload Security Also /counter/?1 giving 1.exe ( Cerber) VirusTotal and /counter/?2 giving 2.exe ( kovter) virustotal on same servers
25 December 2016: ( Payload Security report )
27 December2016: ( Payload Security report )
28 December 2016: ( Payload Security report )
29 December 2016: ( payload Security report)
2nd version today ( Payload Security Report )
31 December 2016: ( Payload Security Report)
31 December 2016: update 2 ( Payload Security)
1 January 2017: ( Payload Security report )
3 January 2017: (Payload Security Report)
5 January 2017: (payload Security report)
6 January 2017: ( Payload Security Report )
8 January 2017: ( payload Security )
10 January 2017: ( Payload Security)
12 January 2017: (Payload Security)
15 January 2017: ( payload Security)
There has been a slight change to the wsf files this afternoon. ( payload Security)
17 January 2017: (payload Security)
18 January 2017: (Payload Security)
19 January 2017:
21 January 2017: ( Payload Security )
22 January 2017: ( payload Security )
24 January 2017: ( Payload Security )
25 – 29 January 2017: ( payload Security)
30 January – 5 February 2017:
6 February – 12 February 2017:
13 -19 February 2017
20-28 February 2017:
1 March – 5 March
6 -12 March 2017
13-19 March 2017:
20-26 March 2017:
27March – 2 April 2017:
3 – 9 April 2017: ( sorry not keeping us as much as usual this week due to real world commitments & health problems )
10-16 April 2017:
17-23 April 2017: