Pierluigi Paganini
July 28, 2016
Locky is one of the most infamous threats of the ransomware family and according to the experts it is in continuous evolution.
The threat has been using JavaScript attachments as a distribution mechanism, but most recent variants were delivering downloaders onto the victims’ machines instead the Locky binary itself.
Something is changed once again last week when a new campaign was observed spreading the Locky binary directly, its code in fact was embedded into scripts.
The security experts from CYREN firm revealed that the new spam campaign leverages on malicious emails using subject line “Invoice” and the same filename format for the attachments used in previous Locky attacks.
The attachment used in the last campaign is larger respect the ones used in the previous, the attackers are using a JavaScript file that implements the same obfuscation mechanism seen in the past.
“A new wave of Locky malware emails have been making the rounds since yesterday — July 20, 2016 — with a critical new development, whereby the Windows executable is now embedded in JavaScript. Essentially, the attached JavaScript file has evolved from being a downloader component into becoming the actual ransomware. These JavaScript variants were detected (and blocked) by CYREN as dropper trojans named JS/LockyDrop.A and JS/LockyDrop.A!Eldorado.” reads the analysis published by CYREN.
The analysis of the JavaScript revealed the existence of numerous variables that contain chunks of strings that are concatenated at runtime to compose the malicious code.
“Loading the JavaScript into an editor shows the same familiar obfuscation found in the previous Locky downloader script variants.” continues the analysis.
“It also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods.”
The encrypted Locky ransomware binary is stored in a set of large arrays, at runtime is it decrypted and saved to disk. When the ransomware binary is decrypted it is possible to notice a significant surge in CPU usage from wscript.exe.
In previous campaigns, the experts only noticed the use of scripts as a container for the downloader, instead the malicious code itself.
Once decrypted, this new Locky variant is saved in the Temp directory with a random filename hardcoded in the JavaScript, then the threat is executed with an argument of “321”.
When the ransomware encrypts files, it appends the .zepto file extension, the IT Security expert Antonio Cocomazzi analyzed for SecurityAffairs a past variant with similar features.
“There have been other reports identifying this Locky ransomware variant as Zepto Ransomware, however, upon close inspection of the malware body, we found that there were just a few changes in the Locky code showing the change in file extension used. CYREN detects the dropped ransomware components as W32/Locky.AN.gen!Eldorado.” states the analysis published by CYREN.
When the encryption process has been completed, Locky replaces the desktop background image with the ransom note and opens the ransom instructions page. Also in this case victims are provided Tor links to the payment of the ransom.
When dealing with ransomware it is important to follow a few suggestions also shared by the ‘NO More Ransom’ initiative launched by the Europol and a number of IT security firms.
[adrotate banner=”9″]
(Security Affairs – Locky Ransomware, Zepto ransomware)
