TorrentLocker Campaign Exploits Spanish Utility Brand

By on Jun 01, 2016

At McAfee we see waves of new ransomware just about every week, with most popular families spreading via spam, exploit kits, and other methods. Recently we detected a new campaign using the brand of Endesa, Spain’s largest electric utility. The threat arrived in a Spanish-language spam email that appeared to contain an invoice for the victim.

Spam Email

The email includes a link to the fake invoice from a subdomain that appears to be part of Endesa.

  • http://s5z.endesa-clientes[.]com/igj84o.php?id=bWFyY0BrYXBhb2x0aXMuY2F0

The bad guys have actually registered a domain that is similar to the real Endesa domain.

The group behind this campaign has registered several subdomains; we have detected some of them:

ahf[.]endesa-clientes[.]com
byal[.]endesa-clientes[.]com
bzb[.]endesa-clientes[.]com
d2xp[.]endesa-clientes[.]com
ebu[.]endesa-clientes[.]com
ej0y[.]endesa-clientes[.]com
endesa-clientes[.]com
grgz[.]endesa-clientes[.]com
k06p[.]endesa-clientes[.]com
kdd[.]endesa-clientes[.]com
nr2[.]endesa-clientes[.]com
nxs[.]endesa-clientes[.]com
yw9[.]endesa-clientes[.]com

All the domains were registered on the same day we discovered them, so we can tell they are all used by this campaign.

 

Malware analysis

The “invoice” is a Zip archive containing a JavaScript file that downloads the ransomware:

JS Torrent Locker

The sample is executed by wscript and downloads the ransomware executable.

Convs pcap

The JavaScript contacts various hosts to download the ransomware and also checks the IP address with the ipinfo service.

Ransomware-pcap

TorrentLocker

The downloaded ransomware is TorrentLocker, which after execution displays the ransom note with instructions. TorrentLocker uses the same control server as always.

C&C

In the ransom note, the victim finds his or her user code and user password. After the victim enters the user data, the ransomware provides further details for payment.

Torrent-Locker page

Our analysis found that no one had yet paid using the Bitcoin address.

BlockChain

Conclusion

As always, TorrentLocker uses a strong social engineering element in this campaign, employing Endesa’s well-known brand to spread malware. As we have seen in the Correos campaign that targeted Spain, Italy, and other countries, the bad guys behind TorrentLocker are using similar domains to spread these malicious binaries.

We recommend that McAfee customers apply the countermeasures we discuss in our report Combating Ransomware.

 

Hashes for indicators of compromise used in this analysis:

  • 6f51c87fd86c43c94ca045484c2cd6e5
  • 0aba9cace182e6b5178e1aac59a9bbed
  • ec11c3a1be57b62e7fbede4b01b79836
  • 3f536096c1fc207c8df74f346baa7bb1

 

About the Author

McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs