Multi-Angle Locky
This attack occurred in the form of an email containing an attachment of file type RAR. This extension would normally indicate a “rar” compressed file but indeed more than just an innocent compressed object was embedded in the file. The attached file was name CCE and was followed by the date and a random number - something like “CCE29032016_00058.rar” - 29032016 being the date the attack occurred. According to email data, the flood of emails containing the attack was released sometime in the early morning of the above date and originated from Eastern Europe, possible a Russian location.
The content of the attachment was a Javascript file that used clever obfuscation to hide the fact that it was performing a trojan-drop from various locations across the internet. URL locations indicated that the websites were legitimate but previously compromised due to poor security practices and being used to participate in the scheme by hosting the malicious objects that would be called to be dropped once the victim opened the attachment and the system executed the java file.
Initial examination of a sample attachment file shows the embedded object:
And using a different tool:
Post decompression, the embedded JS file was obtained and the contents of the java file made available:
The obfuscation technique of the code appears to be using a dictionary of random words to name variables and actions. The core of the attack lies on the URL that is being used to obtain the drop that would further contaminate the system:
The above function calls the URL “h**p://pasirputih-jbi.com/76g8h8y7″ (DNS 103.29.215.191). The list of URLs used in this attack indicates that a lot of effort went into preparing the scenario and resources and provide multiple methods of avoiding detection and network blocking.
Other URLs used:
h**p://demoweb.ir/76g8h8y7 h**p://pasirputih-jbi.com/76g8h8y7 h**p://divinite.mx/76g8h8y7 h**p://canceralia.eu/ h**p://slacwpa.org/
Virus Total provided several classifications for the malicious object:










