Endesa ransomware hunted by SIEM

Last week was disturbing and cautious with the new ransomware which cheats users with a fake bill of the Spanish electricity company Endesa. As always and at the beginning, antimalware and malicious webfilter tools didn't detect and block this ransomware because it was unknown until then. It's “easy” to create a new malware and a new phishing campaign, and take advantage of DGA techniques to deploy ransomware jumping security controls. However, if we have a SIEM with a threat intelligent engine (Event Correlation, IDS, HIDS, etc), we can detect that something is wrong due to the mix and correlation of multiple events from different systems and tools.
In fact, this time I want to show how we detected this ransomware with the Ariolo Probe even before we knew it was a massive phishing campaign. Next we can see the three alarms we received when the SIEM warned us that something was wrong.

SIEM Alarms
Malicious website – Phishing activity
The first alarm said that an user was downloading from a Czech webserver a Java Script file inside of a ZIP file which is observed as lure in malspam campaigns. This was true as we checked into the firewall logs. The user had clicked to download the fake bill and the firewall allowed it because the endesa-clientes.com domain was unrated by webfiltering services, while today it's already as malicious website.

Phishing activity

Logs Firewall

Java Script inside a ZIP file
Client Side Exploit – Known Vulnerability – Malicious Document
The second alarm said that an user was downloading from a Italian webserver a malicious document, which was an EXE or DLL Windows file. As we can see, the Java Script inside ZIP file had redirected to another website to download an executable file called 1.exe, which maybe take advantage of a Windows vulnerability realeased in February.

Malicious Document

EXE Windows file

Anonymous channel – TOR SSL
The third alarm said that the user had connected to the EEUU with a covert SSL channel which used the anonymous Tor Network. Two domains (www.ekqcloky6as531jvixio.com and www.335efhjio6xjyzsx.net) were used against Tor Network and there is to highlight that tcp/80 has always been used to jump firewall filtering.
Once here … we couldn't track any connection, we don't know what happened after this communication. Did they steal something? Who knows. Think about it.


tor2www proxy detected
This is an example of how we can detect ransomware or whatever goes wrong regardless of whether antivirus or webfiltering are updated because the infection pattern usually is the same.
What can we do to block this kind of infection? Warning every user, awareness sessions are the best, blocking every downloaded ZIP and EXE file with a firewall, users are users and they shouldn't have administrator privileges to install applications, updating every system is mandatory, trusting in professional people is a requirement, etc, etc.
Regards my friends and remember, be careful, pay attention to your alarms and contact with professionals if you want to protect your information.