New Locky Ransomware variant uses DLLs for distribution

Pierluigi Paganini August 27, 2016

A new Locky Ransomware variant has been spotted by researchers at Cyren, it uses DLLs for distribution.

The Locky Ransomware is one of the most popular threats since its first detection in the wild early 2016. The ransomware has evolved over the time, crooks have improved it adding new evasion detection features and changing the distribution methods.

Security experts observe the implementation of sophisticated sandbox evasion techniques, they documented a new strain of the malware that used a new extension (aka Zepto variant) for the encrypted files meanwhile another version was able to use of offline encryption.

When it first appeared in the threat landscape, Locky was leveraging on documents for its distribution, later it used malicious macros, JavaScript attachments and also Windows script (WSF) files.

Recently, experts from the security firm Cyren discovered a new variant that added a supplementary layer of obfuscation to its downloader script. The new strain of Locky is delivered via spam campaigns, each malicious email includes a ZIP-archived JavaScript.

“The email being sent in this latest wave, as often before, uses business finance-related topics to lure users into opening its attachment, which is ZIP-archived JavaScript. Comparing this variant to the earlier variants, it has added another layer of obfuscation which decrypts and executes the real Locky downloader script.” states the analysis published by Cyren.

Locky ransomware new 1

The downloader script works in a way similar to other strain of the Locky ransomware, the downloaded files are decrypted and saved in the Windows Temp directory, but differently from the past, the malicious payload is DLL file instead a .EXE. The DLL library is loaded using rundll32.exe, it leverages a custom packer to prevent anti-malware scanners from detecting it.

Once it is executed, the new Locky ransomware searches for the affected system and network shares for files to encrypt, it uses the .zepto extension for locked file. When the encryption process has been completed, this variant of Locky ransomware drops and displays a ransom payment instruction page.

Researchers noticed that the .onion address provided in the ransom note directs victims to the same Locky decryptor page that has been used in previous campaigns.

“Clicking on the onion link directs the user to the same Locky Decryptor page we have seen in previous Locky waves.” closes the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Locky ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment