Ziggo ransomware phishing campaign still increasing in size

Introduction

Fox-IT’s Security Operations Center (SOC) observed fake Ziggo invoice e-mails, since October 6th 2016, linking to a ransomware variant known as TorrentLocker.

The group behind TorrentLocker has previously been observed using fake Dutch postal service emails imitating PostNL, back in 2014.  This distribution method of abusing local postal service names was seen in a lot of countries where this threat was active. This was also documented in CERT PL’s report ‘Going Postal’ published last year. After continuous takedowns of the fake invoice domains with the help of Abuse.CH, the group seized their activities in the Netherlands, near the end of 2014, but continued in several other countries around the world.

The switch from using fake track and trace e-mail messages from postal services (from 2014 till 2016), to using fake invoices from a local Dutch ISP known as Ziggo, is an interesting switch in the modus operandi of the group behind TorrentLocker.

The reach of this e-mail campaign is rapidly increasing as a result of TorrentLocker stealing the address books from its victims to expand its list of new targets. Every successful infection increases the reach of the malicious e-mail campaign significantly. 

Current phishing e-mail

The e-mail below is an example of the phishing e-mail, which mimics the real Ziggo invoice e-mails:

Example of Ziggo phishing e-mail

The e-mail above contains a link to a fake Ziggo page that will force the user to download a ZIP file with the supposed invoice inside. The ZIP file contains a JavaScript file which will, when executed by the victim, download the TorrentLocker ransomware from a compromised WordPress website. When the victim’s data is encrypted, TorrentLocker shows the screen below, still using the name ‘Crypt0L0cker’, as seen 2 years ago:

TorrentLocker lock screen

Indicators of compromise

Currently (October 6th 2016) active campaign distribution domain:

  • ziggo-online23.org / 212.92.97.28

Other Ziggo domains used in previous e-mail campaigns:

  • ziggo-online23.org
  • ziggo-online12.com
  • ziggo-online247.net
  • ziggo-online24.net
  • ziggo-online24.org
  • ziggo-factuur84.org
  • ziggo-factuur23.org

All domains registered by the group behind TorrentLocker are registered at REG.RU. With the continued effort of AbuseCH we have been taking down these domains as soon as they appear.

TorrentLocker initially communicates via SSL to several IPs to reach its command and control server. The current IP being used for this communication is:

  • 185.40.152.22

The certificate used for this SSL connection typically contains the following static information (more sample and information for these SSL certificates can be found on AbuseCH’s SSL Blacklist):

  • C=US, ST=Denial, L=Springfield, O=Dis

After the initial SSL connection, all other network communication is ran through Tor. Files encrypted by TorrentLocker will be appended by the ‘.enc’ extension. More details on the prevention of ransomware can be found in our earlier TorrentLocker blog: New Torrentlocker variant active in the Netherlands.

LinkedIn information used to spread banking malware in the Netherlands

Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail:

Geachte Firstname Lastname,
RoleCompany
Wij schrijven u in verband met de factuur met nummer 014321463. De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro. Vriendelijk verzoeken wij u het openstaande bedrag te betalen.
Betaling graag zo spoedig mogelijk.
Met vriendelijke groet,
A.E. De Kuiper, BEEREJAN HOLDING BV. Faisantenstraat 53 Hilversum 1211 PT Tel. +31180647000 Fax. +31294484970

The first name, last name, role and company name are all values that are taken from the LinkedIn page of the receiver of the phishing mail, giving the e-mail a very personalized look.

The subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:

  • Company : De nota is nog niet betaald
  • Company – De nota is onbetaald gebleven
  • Company – Uw laatste factuur wacht op betaling

At this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.

The e-mail contains a Word document with a Macro.
The name of the document is also based on personal information of the receiver:

  • Company-Firstname-Lastname.doc

Screenshot phishing campagin

The content of the Word document appears to be scrambled, this is an attempt to trick the user into running the embedded Macro, in order to view the document.

The Macro retrieves a binary from the following (likely compromised) website:

  • ledpronto.com/app/office.bin (sha256: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)

The Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda, in this case, always connects to the following domain & IP using SSL:

  • skorianial.com / 107.171.187.182

Zeus Panda is a type of banking malware based on Zeus source code, more information can be found here: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

The following SSL certificate is used by the Panda Zeus Command and Control server:

If you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.