Massive HerbaLife spam campaign spreads a variant of Locky ransomware

Pierluigi Paganini September 24, 2017

Researchers spotted a new widespread ransomware campaign leveraging emails with malicious attachments using Herbalife branded messages.

Researchers at security firm Barracuda have spotted a new widespread ransomware campaign leveraging emails with malicious attachments, some of them pretend to be sent by the l multi-level marketing nutrition company Herbalife.

More than 20 million Herbalife branded emails were sent in a 24 hour period, since then, crooks sent out messages at a rate of about two million attacks per hour.

Most of the messages are sent from Vietnam other significant sources are India, Columbia, and Turkey and Greece.

“The Barracuda Advanced Technology Group is actively monitoring an aggressive ransomware threat that appears to come in the largest volume from Vietnam.  Other significant sources of this attack include India, Columbia, and Turkey and Greece.  Other countries appear to be distributing the same attack in very low volumes.” reads the analysis published by Barracuda.  “So far we have seen roughly 20 million of these attacks in the last 24 hours, and that number is growing rapidly.”

HerbaLife spam

The attackers are using a Locky variant with a single identifier to track the infections.

“Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier. The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor,” continues the analysis. “In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them.”

The email attachment claims to be an invoice for an order placed through the company Herbalife. If the user opens the file, it will launch the ransomware dropper.

Attackers are also observing attachments that claim to impersonate invoicing from  The researchers are also seeing other variants of the malicious emails that have appeared claiming to be a “copier” file delivery.

Barracuda researchers are now seeing also a wrapper in this campaign that impersonates a voicemail message, using the subject line “New voice message [phone number] in mailbox [phone number] from [“phone number”] [<alt phone number>].”>].”

Researchers detected at least 6,000 different versions of the malicious script used by the attackers, a circumstance that suggests crooks are randomizing a portion of the attack code to avoid detection.

“There have been approximately 6,000 fingerprints, which tells us that these attacks are being automatically generated using a template that randomizes parts of the files.  The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead anti-virus engines.” continues the blog post.

The payloads delivered by the malicious emails and the domains used to host the second stage malware that infects the victim’s computer changed multiple times since the start of the ransomware campaign.

The researchers noted the attack code is checking the language files on a victim’s computer, suggesting the attackers are ready to target users worldwide.

All the messages come from a spoofed domain, making it appear as legitimate, give a look at the report for Indicators of Compromise (IoCs).

Due to the targets of the campaign experts believe the threat actors are primarily financially motivated,

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Herbalife, Locky ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment