Bulk spam campaign for Dalexis+CTB-Locker


In the last few days a bulk spam campaign has been detected distributing Dalexis malware downloader. Below this lines you will find a screenshot taken from one of the spam mails. 

Email attached files are compressed files with the extensions .zip or .cab. Whithin them there is a .scr file which once executed will display one of the following documents:

  • Document 1
  • Document 2
  • Document 3
This downloader is linked to the CTB-Locker ransomware. This crypto-malware ciphers files based on their extension, including: pdf, xls, ppt, txt, py, wb2, jpg, odb, dbf, md, js, pl, It is able to cipher files located both in local and mapped drives.

Once file ciphering is completed the following ransom message is shown:
The message will be localised depending on victim’s location. Available languages are: Frech, English, Italian, German y Dutch. Cybercriminals include additional information to guide victim through the steps needed to pay the ransom.

Ransomware download is performed through a TOR request using getway attempting to avoid AV tools and proxies. Furthermore, the downloaded file is also ciphered and is deciphered by the downloader in order to run it.

Until now we have seen the following URLs within Dalexis samples:

•    hxxp[s]://voigt-its.de/fit/pack.tar.gz
•    hxxp[s]://scolapedia.org/histoiredesarts/pack.tar.gz
•    hxxp[s]://pleiade.asso.fr/piwigotest/pack.tar.gz
•    hxxp[s]://maisondessources.com/assets/pack.tar.gz
•    hxxp[s]://jbmsystem.fr/jb/pack.tar.gz
•    hxxp[s]://breteau-photographe.com/tmp/pack.tar.gz
•    hxxp[s]://www.cpeconsultores.com/tmp/pack.tar.gz
•    hxxp[s]://siestahealthtrack.com/media/pack.tar.gz
•    hxxp[s]://peche-sportive-martinique.com/wp-includes/pack.tar.gz
•    hxxp[s]://microneedle.com/menu_files/pack.tar.gz
•    hxxp[s]://hotel-mas-saint-joseph.com/css/pack.tar.gz
•    hxxp[s]://springtree.cba.pl/modules/cario.tar.gz
•    hxxp[s]://smartoptionsinc.com/data-test/nero.tar.gz
•    hxxp[s]://ppc.cba.pl/cache/nero.tar.gz
•    hxxp[s]://mmadolec.ipower.com/me/cario.tar.gz
•    hxxp[s]://masterbranditalia.com/downloader/cario.tar.gz
•    hxxp[s]://integritysites.net/files/nero.tar.gz
•    hxxp[s]://evalero.com/img/cario.tar.gz
•    hxxp[s]://compassfx.com/OLD/cario.tar.gz
•    hxxp[s]://collection-opus.fr/_gfx/cario.tar.gz
•    hxxp[s]://cargol.cat/IESABP/nero.tar.gz
•    hxxp[s]://bikeceuta.com/templates/nero.tar.gz
•    hxxp[s]://www.lamas.si/picture_library/upupup.tar.gz
•    hxxp[s]://wcicinc.org/flv/dostanes_do_drzky.tar.gz
•    hxxp[s]://thinkonthis.net/style/dostanes_do_drzky.tar.gz
•    hxxp[s]://stmarys-andover.org.uk/audio_files/upupup.tar.gz
•    hxxp[s]://sp107.home.pl/logs/dostanes_do_drzky.tar.gz
•    hxxp[s]://ohayons.com/dostanes_do_drzky.tar.gz
•    hxxp[s]://fotocb.de/php/upupup.tar.gz
•    hxxp[s]://dequinnzangersborne.nl/language/upupup.tar.gz
•    hxxp[s]://dariocasati.it/logs/dostanes_do_drzky.tar.gz
•    hxxp[s]://thomasottogalli.com/webtest/sancho.tar.gz
•    hxxp[s]://ourtrainingacademy.com/LeadingRE/sancho.tar.gz
•    hxxp[s]://m-a-metare.fr/media/sancho.tar.gz
•    hxxp[s]://locamat-antilles.com/memo/sancho.tar.gz
•    hxxp[s]://joefel.com/easyscripts/sancho.tar.gz
•    hxxp[s]://cds-chartreuse.fr/locales/sancho.tar.gz

File recovery

CTB-Locker uses a custom elliptic curve ciphering based algorithm which warranties that files would be irrecoverable without the proper key.


As usual, prevention is the best countermeasure. Avoid opening unsolicited e-mail attached files and implement a proper  privilege policy for network shares.

In addition, you can mitigate the problem by blocking Dalexis URLs thus avoiding CTB-Locker download. S21sec’s Automatic Malware Analysis Platform analyzes tens of thousands of samples daily. Information gathered from analyzed samples is feed into Lookwise Threat Intelligence solution which can be used for companies internal network threat detection.

Recommended Posts

Leave a Comment