Necurs botnet now spreading the Locky Ransomware via DDE Attacks

Operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection leveraging the DDE protocol.

Security experts are continuing to observe the Locky ransomware spreading via spam campaigns that rely on the Necurs botnet. Now operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection.

One of the new techniques adopted by the crooks is the use of the Dynamic Data Exchange (DDE) protocol designed to allow data transferring between applications.

“The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.” states Microsoft.

According to experts at the security firm Sensepost, attackers have devised a method to achieve the execution of malicious code embedded in Office documents without user’s interaction by using DDE.

The DDE protocol allows an Office application to load data from another Office application, it was replaced by Microsoft with Object Linking and Embedding (OLE), but it is still supported.

The technique was implemented by several threat actors such as the FIN7 APT group in DNSMessenger malware attacks, and the operators behind the Hancitor malware campaign spotted earlier this week and detailed by Internet Storm Center (ISC) handler Brad Duncan.

According to Duncan, the recent Locky campaign used spam messages with Office documents posing as invoices. The threat actors delivered the spam messages through the Necurs botnet.

The Necurs Botnet malspam pushes Locky using DDE technique, in a first-stage of the attack the malware achieved persistence on the compromised system, in the second stage the Locky ransomware infects the system.

“I opened one of the Word documents in my lab environment and found a 1st stage malware (presumably a downloader) and a 2nd stage malware (Locky) during the infection.  Today’s diary reviews the traffic and malware.” wrote Duncan.

According to the experts at Trend Micro, The Locky ransomware was also spread by the Necurs botnet through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

Some of the recent lures observed by the experts at Trend Micro are:

• Fake voice message notifications (vishing, or the use of voice-related systems in phishingattacks)
• HTML attachments posing as invoices
• Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
• Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – Locky ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]