{"id":11069,"date":"2022-04-12T05:49:33","date_gmt":"2022-04-12T05:49:33","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11069"},"modified":"2023-03-31T07:46:37","modified_gmt":"2023-03-31T07:46:37","slug":"another-change-with-locky-delivery-methods-today-payload-embedded-in-a-large-js-file","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/another-change-with-locky-delivery-methods-today-payload-embedded-in-a-large-js-file\/","title":{"rendered":"Another Change With Locky Delivery Methods Today. Payload Embedded In A Large .js File"},"content":{"rendered":"
The next in the never ending series of Locky downloaders is an email with a blank\/empty subject pretending to come from random names and email addresses. The body content pretends to be an invoice notification. There are no attachments with these emails but a link in the email body to various compromised sites to download a .js file. As far as I can tell the actual Locky payload is embedded inside the .js file<\/p>\n
For some strange reason the js file is named voicemsg_random numbers.js which would indicate that this was intended or has also been used in a voice message scam attempt to deliver Locky as well.<\/p>\n
The other strange thing in this campaign is the url in the body. All the ones I received are broken and start with ttp:\/\/ but looking at the mailscanner they look normal with a complete html on my server they look normal with a complete html and start with the proper http:\/\/. I really don\u2019t know if it is something in Outlook that is breaking these, because downloading a quarantined copy in .eml format & viewing it in plain txt or in a hex editor, I see the full working URLs<\/p>\n
voicemsg_088436.js 410.7 KB ( 420558 bytes ) ( Current Virus total detections: Payload Security | drops 1102.exe 298.0 KB ( 305152 bytes ) ( virusTotal) ( Payload Security)<\/p>\n
Nothing is actually detecting these as Locky Ransomware and in fact some AV on Virus Total detect as Cerber Ransomware. I am only calling these Locky based on the moroplinghaptan.info\/eroorrrs<\/strong> post request ( giving a 404) shown in the Payload Security report. This has been a strong Indicator of Compromise for Locky recently.<\/p>\n Some of the download sites in the emails include:<\/p>\n They all use an iframe to actually download from http:\/\/moroplinghaptan.info\/offjsjs\/*<\/strong> This site has been used in a later Locky campaign today that was spoofing voicemessages<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> Joanne Hillyard <ordering@idahoinsuranceplans.com><\/p>\n Date:<\/strong> Thu 01\/09\/2021 19:22<\/p>\n Subject:<\/strong> < Blank><\/p>\n Body content<\/strong>:<\/p>\n Please view details of a requested invoice below and download a PDF file<\/p>\n Can\u2019t open the file? Download Adobe Acrobat Reader from\u00a0http:\/\/get.adobe.com\/reader\/<\/p><\/blockquote>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t.<\/p>\n Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n\n
Dear Customer,<\/h2>\n
\n\n
\n Invoice no:<\/td>\n 86358<\/td>\n<\/tr>\n \n Date:<\/td>\n 29\/09\/2021<\/td>\n<\/tr>\n \n Amount:<\/td>\n $031.00<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/h3>\n
Joanne Hillyard<\/h3>\n
Screenshot<\/strong>:<\/h3>\n