TorrentLocker Campaign Exploits Spanish Utility Brand

By on

At McAfee we see waves of new ransomware just about every week, with most popular families spreading via spam, exploit kits, and other methods. Recently we detected a new campaign using the brand of Endesa, Spain’s largest electric utility. The threat arrived in a Spanish-language spam email that appeared to contain an invoice for the victim.

Spam Email

The email includes a link to the fake invoice from a subdomain that appears to be part of Endesa.

  • http://s5z.endesa-clientes[.]com/igj84o.php?id=bWFyY0BrYXBhb2x0aXMuY2F0

The bad guys have actually registered a domain that is similar to the real Endesa domain.

The group behind this campaign has registered several subdomains; we have detected some of them:

ahf[.]endesa-clientes[.]com
byal[.]endesa-clientes[.]com
bzb[.]endesa-clientes[.]com
d2xp[.]endesa-clientes[.]com
ebu[.]endesa-clientes[.]com
ej0y[.]endesa-clientes[.]com
endesa-clientes[.]com
grgz[.]endesa-clientes[.]com
k06p[.]endesa-clientes[.]com
kdd[.]endesa-clientes[.]com
nr2[.]endesa-clientes[.]com
nxs[.]endesa-clientes[.]com
yw9[.]endesa-clientes[.]com

All the domains were registered on the same day we discovered them, so we can tell they are all used by this campaign.

 

Malware analysis

The “invoice” is a Zip archive containing a JavaScript file that downloads the ransomware:

JS Torrent Locker

The sample is executed by wscript and downloads the ransomware executable.

Convs pcap

The JavaScript contacts various hosts to download the ransomware and also checks the IP address with the ipinfo service.

Ransomware-pcap

TorrentLocker

The downloaded ransomware is TorrentLocker, which after execution displays the ransom note with instructions. TorrentLocker uses the same control server as always.

C&C

In the ransom note, the victim finds his or her user code and user password. After the victim enters the user data, the ransomware provides further details for payment.

Torrent-Locker page

Our analysis found that no one had yet paid using the Bitcoin address.

BlockChain

Conclusion

As always, TorrentLocker uses a strong social engineering element in this campaign, employing Endesa’s well-known brand to spread malware. As we have seen in the Correos campaign that targeted Spain, Italy, and other countries, the bad guys behind TorrentLocker are using similar domains to spread these malicious binaries.

We recommend that McAfee customers apply the countermeasures we discuss in our report Combating Ransomware.

 

Hashes for indicators of compromise used in this analysis:

  • 6f51c87fd86c43c94ca045484c2cd6e5
  • 0aba9cace182e6b5178e1aac59a9bbed
  • ec11c3a1be57b62e7fbede4b01b79836
  • 3f536096c1fc207c8df74f346baa7bb1

 

Leave a Comment

Similar articles

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most ...
Read Blog
The risk to your family's healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed. That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From ...
Read Blog