Sage and Locky, two distinct pieces of ransomware, have been found to be using overlapping infrastructure—a reminder of how malware support and distribution infrastructure is frequently reused.
According to PhishMe, the distribution of Locky and Sage from one singular location also indicates that threat actors are leveraging new ransomware varieties such as Sage, while continuing to use the reliable standby tools like Locky. This also provides evidence of the commodity status for ransomware tools like these. The similarity in delivery attributes and infrastructure is ultimately used in the distribution of distinct malware varieties with equal effectiveness for both.
Sage made notable appearances on the phishing threat landscape in the early days of 2017, according to PhishMe researchers. The first Sage delivery emails used a sexually explicit email to tempt potential victims into opening an attachment named “sindy_hot_2016_sex_party_in_the_club.zip”. But then, Sage’s authors wised up.
“Following this early distribution, threat actors moved toward the mainstream in a major way,” said PhishMe researchers, in a blog. “The phishing email subjects used random numbers to help elude some basic filters and leveraged business-related themes rather than explicit or racy narratives. The body of these emails explained that a financial transaction had been rejected and claimed that details about the failure could be found [in] an attached document. A second variant indicated that the deposit of a refund had been failed after an order had been canceled.”
Then, beginning on January 26, the email narratives and metadata used in these emails began to evidence similarity to phishing campaigns used to deliver the still-persistent Locky ransomware.
“The most interesting finding was the reuse of affections[.]top as part of the delivery process for another ransomware,” the researchers noted. “Locky, one of the flagships of the ransomware market, was delivered as a payload from this domain on Monday, January 30. This connection pushes the narrative forward in yet another way as the Locky distribution in question was yet another example of that ransomware being paired with the Kovter trojan. This also serves to counter some of the claims that have been made about Locky “missing” from the threat landscape by showing that some threat actors, who choose a different set of tactics, techniques and procedures, are continuing to deliver this ransomware utility.”
There’s at least one good aspect to this development: Using a shared infrastructure provides a high-fidelity indicator of compromise that can be preemptively blocked to foil the delivery of multiple ransomware varieties.