Late last week while the WannaCry ransomware was causing major panic across the internet, another threat was re-emerging as well. After a relatively quiet several months and in the early hours of the morning on May 11th, the Necurs botnet started blasting out malicious emails again in massive volumes. Throughout most of 2016 we were seeing this botnet distributing the Locky ransomware and the Dridex Banking Trojan, until a large fall-off in volume around December 24th. While traffic had never ceased, daily traffic was only about one tenth of the volume we had been seeing prior to. On the morning of May 11th that all changed, the monster had awakened and had picked up right where it left off, sending email en-masse containing both a new ransomware strain dubbed “Jaff” as well as copies of the Dridex banking Trojan. After slowing over the weekend, as botnet campaigns always do, this morning the malicious email campaigns were back at it.
Both malware campaigns are using PDF files with an embedded Word Document which contains a malicious VBA Macro.
Current Jaff ransomware messages:
Opening the Word Document inside the PDF and enabling editing, allows the macro script to run on the host machine. The malware then reaches out to any one of multiple call home domains to fetch the ransomware binary. After a successful connection to the call home domain, in this case enboite[dot]be, the binary is downloaded and the malware goes to work encrypting files on the host machine. You can see here where the ransomware got its name as it appends the extension [dot]jaff to the victim’s files as they are encrypted.
The processes and techniques that Jaff uses during the infection process have many similarities to the Locky ransomware, which leads us to believe this is simply the new strain from the same individual or group responsible for Locky. The Jaff ransomware is currently demanding roughly $1800 payment via Bitcoin.
Dridex Banking Trojan
The Dridex Banking Trojan is being sent be the same botnet and uses a nearly identical infection vector but with slightly varied message content. The Dridex Trojan has been in circulation for years now but is still successfully being used to commit financial theft.
Current Dridex Banking Trojan messages:
The Jaff ransomware while it does differ, may just be the new iteration of Locky ransomware. While Dridex Banking Trojan as well has morphed over time. It was once known as Zeus. After being redeveloped and built upon, it became known as Cridex and after again later changes returned as Dridex. This goes to show That the cybercrime groups undertaking these malware families also go through periods of redevelopment just as any software creator would. For now, though, they are back to their old tricks but with a new toy.
And of course, all SecureTide customers are protected from the threats described above.