Phishing campaigns used victim's location to determine whether to deliver Locky or Trickbot

News by Bradley Barth

Researchers at PhishMe recently detected two email-based phishing campaigns that infected users with either Lockyransomware or the Trickbot banking trojan based on the victim's geographical location.

Researchers at PhishMe recently detected two email-based phishing campaigns that infected users with either Lockyransomware or the Trickbot banking trojan based on the victim's geographical location – a technique that the company claims is rather uncommon.

According to a company blog post published last week, the first campaign on 28 September was designed to distribute TrickBot to targets in Australia, Belgium, Ireland, Luxembourg, and the UK. All other locations received Locky. This operation was followed by another Trickbot-Locky phishing campaign on 11 October, which relied on a malicious script that had recently evolved to include a command-and-control reporting mechanism.

Both campaigns were part of a larger effort to distribute two new variants of Locky known as Ykcol and Asasin, PhishMe threat intelligence manager Brendan Griffin told SC Media. But these two examples stood apart from the other contemporaneous campaigns because of how geography dictated whether the victim received the ransomware or TrickBot instead.

The combination of two threats in one also forces security professionals at multinational organisations to execute different incident response strategies in differently affected regions, the blog post explains.

"By using different tools, attackers open up multiple fronts where network defenders and information security professionals are presented with multiple potential threats to address at the same time," explain post authors and PhishMe threat analysts Neera Desai and Victor Cornell. "Without the help of sufficient context, could create a scenario that puts network defenders at a disadvantage."

In the 28 September campaign, the phishing emails came with an attached .7z archive containing a malicious VBScript application responsible for delivering either Locky or TrickBot. The VBScript would make this determination by first querying three websites "that provide geo-IP services to determine where the target is located," the PhishMe report explains.

The 11 October campaign worked very similarly, with a couple of notable enhancements. For one, the VBScript initiated a POST request to the C&C server, in order to signal a successful infection, as well as to convey the payload URL, Windows Host OS version and a unique identifier number. Also, the VBScript included references to the side-scrolling video game Cobalt. "This was likely an attempt to defeat heuristic scanning of the code," intelligence analyst Chase Sims explains in a19 October blog post.

A previous PhishMe report described a previous Locky phishing campaign that similarly used Game of Thrones references within the VBScript. 

In a separate report last September, Trend Micro reported on another spam campaign that served up either Locky or FakeGlobe ransomware, based on an ongoing rotation between the two programs.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews