OdinPossibly named after the Norse God of War, Odin is the latest Locky persona [read:variant] hitting mailboxes.  This shift was detected by our ‘MailRunner’ classifier, which we’ll dissect in a future blog post.

Odin very much resembles another Locky variant, Zepto. Truth be told, these are all likely just improvements by the author to fix bugs or simply a shift in approach to make signature matching more difficult rather then a completely new variant. Odin comes after a slight dip over the weekend in the number of samples we saw hitting our classifier so perhaps the authors took a break to pull in some changes.

Let’s take a look at some of the traits of Odin.

Delivery

Odin stays consistent by conveniently arriving in your mailbox posing as something important. We noticed two different patterns with the inbound emails that match prior Locky/Zepto campaigns:

Pattern 1 Pattern 2
Source Email Domain Reverse MX Lookup No association with recipient
Source Email User (?:[A-Z])(?:[a-z]{1,})(?:[0-9]{1,3}) (?:[A-Z])(?:[a-z]{1,})\.(?:[0-9]{1,4})
Subject Re: Documents Requested and FW:Documents Requested Updated invoice #(?:[0-9]{7})
Filename (?:[newdoc|doc|untitled])(?:[0-9]{1,3})\.zip (?:[a-f0-9]{8,14})\.zip
Uncompressed Filename (?:[A-Z0-9]{10})\.wsf or just  CJPOG21534.wsf (?:[a-zA-Z])  Hidden file and Updated invoice pdf (?:[A-Z0-9]{5})\.wsf
  • Pattern 1 – Source Email Domain:  Arriving from a source address with a domain that your public email server is responsible for. My intuition is that the attacker performs a reverse MX record lookup using the mail server defined for your domain to get other domains for which the mail server is responsible for.
  • Pattern 1 – Source Email User: User emails followed a (?:[A-Z])(?:[a-z]{1,})(?:[0-9]{1,3}) regex pattern with values such as Terrie12@somedomain.com, Wilma821@somedomain.com, Dave1@somedomain.com …
  • Pattern 1 – Subject: Subject lines here pose as either a reply or forward for a Documents Requested thread.
  • Pattern 1 – Filename: Filenames appeared to follow a (?:[newdoc|doc|untitled])(?:[0-9]{1,3})\.zip regex with names such as newdoc12.zip, doc0.zip, and untitled9.zip.
  • Pattern 1 – Uncompressed Filename: The filename in most samples was ‘CJPOG21534.wsf’, however its possible there is a larger pattern.
  • Pattern 2 – Source Email Domain: Pattern 2 domains appeared to have no relationship with the recipient email address and were potentially open mail relays or compromised mail forms.
  • Pattern 2 – Source Email User: User emails followed a (?:[A-Z])(?:[a-z]{1,})\.(?:[0-9]{1,4}) regex pattern with values such as John.4211@somedomain.com, Robert.45@somedomain.com, Gloria.244@somedomain.com
  • Pattern 2 – Subject: These subjects follow the ‘invoice’ them, with ‘Update Invoice’ followed by a 7 digit number.
  • Pattern 2 – Filename: Filenames here appear to follow a (?[a-f0-9]{8,14})\.zip – being hex characters between 8-14 characters long.
  • Pattern 2 – Uncompressed Filename: Two files existed in this pattern, one hidden file with just a single character name and the other is a .wsf

Downloader

The downloaders in both patterns were obfuscated Windows Script Files. Both appeared to be obfuscated using different techniques seen in previous Locky/Zepto campaigns:

The first pattern used a very familiar structure with Locky/Zepto: 3 JavaScript blocks with content wrapped in CDATA tags. As the script executes, it deobfuscates the next, performing various tests to discover a sandbox environment. One notable difference in the encoding was the abundant use of the ‘decodeHexLONG’ variable.

The second pattern passes its entire encoding through an eval(), which can be dumped to gain better insight into what it is doing.

second layer

The Mystery File

The single-character named file in the second pattern is interesting. There doesn’t be an instance in the overall infection where this file is touched which may imply this file was mistakenly included. File sizes for these files vary, and they all contain binary data. Could this be a key or something valuable to decrypt infected files? I’d love to hear back from you if anyone uncovers what this does. Here’s an example of one:

Locky Odin Infection

The downloader fetched an obfuscated DLL which is responsible for the infection.

Pattern 1 Pattern 2
Download URL Various (?:.*/g766d4ft?rRffpf=NrdcbOsmH) Various (?:[a-zA-Z0-9]{3,8})
Download Server Various (nginx, Apache, …) Various nginx/1.10.1,LiteSpeed, …
Sample Filename OesxPJXWfao1.dll ughGZjTSwn.dll
Sample MD5 9B3DE41F4106963A50E9AF2566912451 27DFFCFF609AAF6CFABF0304B52DFB74
Sample SHA1 7BBA55F6A117D8C5CFD0D41A5C1ECFA6136BB092 7B1E0ED52B2D801B6F8E346D9CDAEBE885B99946
Arch 32-Bit 32-bit
File Version 6.1.7601.17621 2.0.4.0
Company Microsoft Corporation ACE Compression Software
Link Date 11:15 AM 9/26/2016 8:00 AM 9/26/2016
POST Server URI /apache_handler.php /apache_handler.php

The companies for each pattern imply that one may be packed. Let’s take a quick view of their entry points.

Entry Points

Pattern 1 mostly downloaded Odin from a single location:

  • resboiu[.]ro:80/g766d4ft?rRffpf=NrdcbOsmH

However newer variants have diversified. We can see a pretty significant relative spike in traffic to this host today:

Pattern one downloads

Here are a list of hosts in both campaigns:

Post Data

The data sent back to the server remains consistent

Post DATA

File Renaming

Odin get’s it’s name from the ‘.odin’ file extension it renames encrypted files to. The files are renamed in a similar fashion:

  • A8ZR6SLDQ-3F13-ZPWJ-1294-628827AB1E32.odin

Where ‘A8ZR6SLDQ-3F13-ZPWJ’ is a unique identifier for your infection.

Notification

After infection, the patterns are again slightly different, but both redirect to the same payment page.

Notification

Payment Page

Payment pages are the same, but the prices are not. In the two samples below, one is 1.5 BTC while another is just 0.5 BTC. Other samples floating around are upwards to 3.0 BTC.

Capitalism?

 

This post is categorized in: