The "deadliest" strain of Locky yet

Monday, October 23, 2017

With flu season beginning this month, no one wants to hear that a new strain of the flu is spreading. Just as network defenders will not be excited that Locky ransomware has evolved yet again. This time however, threat actors decided to add a darker theme to code.  

Threat actors have been sending multiple phishing emails with financial themed subjects , although these do not appear to be targeted. Embedded in the body of the message was a .7z archive encoded in base64 containing a malicious VBScript that delivers Locky or Trickbot based on the location of the host. The base64 encoding is likely due to a failure of the email distribution system used by the attackers. This VBscript is a variation of the standard downloader scripta used in the past. What makes this script different is the ability to send a confirmation to the attacker upon successful completion of the script containing the payload URL, Windows Host OS version and a unique identifier number.

Figure 1 – POST request to the C&C server informing the threat actor of a successful infection 

In addition to the new reporting feature added to the script, the attackers also used multiple Star Wars references to name the functions. They also inserted snippets of open source code from the video game, Cobalt as an attempt to defeat heuristic scanning of the code. 
Once Locky has been deployed on a victim's machine, it quickly goes to work encrypting files with the .asasin extension. It attempts to obfuscate itself by masquerading  as Canon© PageComposer while it runs in the current user’s Temp directory. After it has successfully encrypted your files, it displays the infamous Locky ransom message. 

Figure 2 – Locky ransom note is displayed after the files have been encrypted

Fortunately the payload URLs have been taken down, but I fully expect them to be replaced in due time. 

Post a Comment

© Malware Mayhem. Design by FCD.