Thursday, August 04, 2016

American Airlines spam from Kelihos delivers Ransomware

I'm pleased to have Arsh Arora return with another guest blog about his findings as he continues to observe the Kelihos botnet.  Arsh recently received his Masters in Computer Forensics and Security Management in our program at UAB and has chosen to continue his malware research as a PhD candidate.

Kelihos botnet delivering CryptFlle2 Ransomware with theme AmericanAirlines

By Arsh Arora

When we saw the Kelihos botnet delivering ransomware last month on July 8th, we sat up and took notice.  The Kelihos botnet has a long history of delivering pharma spam and stock market manipulation spam (pump-n-dump), but now it was spamming the WildFire ransomware. ( See: http://garwarner.blogspot.com/2016/07/kelihos-botnet-delivering-dutch.html )  I was under the impression that it was one of the occasional gimmicks observed with Kelihos where they try something a single time and then move on.  I assumed that some script kiddies were testing new ransomware techniques. Unfortunately, I was wrong and Kelihos hit back with CryptFIle2 encryption ransomware.

To attract people to their ransomware, this campaign used subject lines imitating American Airlines specifically to attract customers. The URLs listed below are the locations that were sent in the spam email along with its corresponding subject lines:

hxxp://dataupllinks[.]top/nfdk/ticket1845[.]doc - Free Fly with AmericanAirlines
hxxp://ftp[.]dataupllinks[.]top/edsf/tick-873[.]doc  - Bonus from AmericanAirlines
hxxp://ftp[.]filesgigastor[.]top/23tf/disc_tick-235[.]doc  - AmericanAirlines free 100$
hxxp://www[.]webdataupllinks[.]net/rety/tick-834[.]doc  - AmericanAirlines discount

The following is the email that the victim receives and is inclined to check out the special travel prices for his/her favorite vacation spots.

Figure 1 - American Airlines Discounts



Several subject lines were used, including:

  • Subject: Bonus from AmericanAirlines
  • Subject: AmericanAirlines free 100$
  • Subject: AmericanAirlines discount
  • Subject: Free fly with AmericanAirlines


Subject: AmericanAirlines discount 
Traveling with the world's largest airline shouldn't have to be expensive. That's why at Ctrip, we are
bringing you our lowest prices yet for flights with American Airlines.
 
>>> DOWNLOAD FREE DISCOUNT 100$ TICKET:
*Prices exclude taxes and fees.
Los Angeles - Las Vegas from 88$
Las Vegas - Los Angeles from 198$
New York - Chicago from 192$
Toronto - Hong Kong from 923$
Los Angeles - Shanghai from 832$
Toronto - Beijing from 958$
Chicago - Beijing from 712$
Boston - Beijing from 1,077$
Boston - Shanghai from 1,060$
Chicago - Shanghai from 845$
Atlanta - Beijing from 1,581$
Chicago - New York from 221$
Los Angeles - New York from 440$
New York - Toronto from 220$
New York - Miami from 177$
New York - Orlando from 203$
Seattle - Los Angeles from 145$
New York - Los Angeles from 366$
Los Angeles - San Francisco from 186$

>>> DOWNLOAD FREE DISCOUNT 100$ TICKET:
hxxp://www[.]webdataupllinks[.]net/rety/tick-834[.]doc
 
Terms and Conditions:
Prices are correct at time of publication and are subject to availability and change. Please see
english.ctrip.com to confirm availability, prices, and applicable terms and conditions. Flights for
certain dates may be sold out. In this event, please try to enter another flight date. Airlines reserve
right to adjust prices and control seat availability according to sales situation. Final fare based on
airline's actual sale price. Seat availability subject to airlines. Special fares may be subject to
strict change, refund and endorsement conditions. Please refer to conditions of confirmed booking for
details. Ctrip.com International Ltd. (CTRP) reserves all rights of final interpretation.



The prices are striking enough to entice the victim to click the link. Once the link is clicked, a pop up is shown to download a Word document. Although the user is unaware that the Word document contains hostile code, Microsoft Word document delivery is one of the more common ways of distributing malware.

Once the download is complete the victim opens the document. The document follows a similar pattern as it used in the previous ransomware sent by Kelihos. The Word document is opened in ‘Protected View’ and seeks the user to ‘Enable Editing’ to view the document.

Figure 2 - "Protected Document"

After clicking the ‘Enable Editing’ box, another window asks to ‘Enable Macros’, aka the “ENCRYPT ME” button.

Figure 3 - "Enable Editing AKA Encrypt Me!"

After clicking the ‘Enable Content’ button, it shows the following message.

Figure 4 - Looks like a Word Document!

This behavior is the first of its kind observed in Word documents delivering malware. Generally, there is no content in the Word document and the malware infects the victim’s machine within minutes if not seconds.

The feature makes the Word document seem like a legit file and distracts the user while the malware contacts its command and control center and encrypts files in the background.
As soon as you complete reading, you realize that your computer has been encrypted by CryptFIle2 encryption ransomware.

Figure 5 - You are now ENCRYPTED


An interesting feature about the ransom note is that the threat actors have evolved their technique for obtaining ransom payment. As it can be seen, there is no mention of Tor-hosted or Onion-domain payment websites. Instead, it has 2 email addresses in which the victim can email the threat actor directly to pay the ransom. The email addresses are:
westbors@oath[.]com
gobas@inorbit[.]com

This seems fool-hardy and not very sophisticated, but the American Airlines lure will certainly gain some victims!  This is phenomenally different behavior than the previous WildFire ransomware. The text displayed after enabling Macros is a significant change in the Word document that spread ransomware.

Other interesting observations found are:

  • .      MD5 hash of the Word document - 4fde04b25ea20b6ab30c5e4984e01afc
  • .      Website mentioned in the Word document – english[.]ctrip[.]com
  • .      Payload location: hxxp://216[.]170[.]126[.]3/wfil/file[.]exe
  •                           hxxp://216[.]170[.]118[.]4/default[.]jpg
  •     Command & Control Center: hxxp://216[.]170[.]118[.]4/wes/offers[.]php


#AA #AmericanAirlines – Just realized that AA stands for my name too. So were the threat actors targeting the American Airlines or Arsh Arora, in disguise of AA?

Thanks for that guest post, Arsh! Be on the lookout for a new paper about the spam campaigns of Kelihos at an upcoming conference based on Arsh's studies.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.