Following a couple of weeks of relative silence, the Locky ransomware appears ready to storm unprotected computers once again, with a new infection campaign observed on Tuesday, the same day that the Necurs botnet became active once again.
Necurs suffered an outage on June 1, and researchers at Anubis Networks, who have been monitoring it for nearly a year, revealed a week later that the botnet was comprised of nearly 1.1 million hosts. Researchers couldn’t estimate the botnet’s size until it went down, and it appears that their final estimate might have been off as well: Necurs operates around 1.7 million computers distributed in 7 different botnets, MalwareTech now says.
Given its size, it’s no wonder that the botnet was able to power the Dridex and Locky infection campaigns, which were some of the largest ever, with hundreds of millions of messages sent to potential victims. Researchers were already aware of a connection between Necurs, Dridex and Locky, but it wasn’t until the outage that they understood the critical role the botnet was playing in the distribution of the two pieces of malware.
What hasn’t been detailed as of now, however, is why Necurs, a peer-to-peer (P2P) hybrid botnet leveraging Domain Generation Algorithm (DGA) to enable bots find a new command and control (C&C) when one went offline, suffered a sudden outage, and why the downtime affected all seven botnets. Some suggest that the recent 50 arrests in Russia connected to the Lurk banking Trojan might have impacted the Necurs operators too, but nothing is confirmed.
According to MalwareTech, however, it’s rather interesting to note that, while Lurk is a Trojan used in attacks against Russian banks, the Necurs Trojan explicitly avoids infecting computers with a Russian language pack present. All of the 1.7 million bots operated by Necurs are located outside Russia, the distribution map shows.
What is certain, however, is that Necurs is back and the first new Locky distribution campaign is already underway. Several days after the botnet went down, Dridex and Locky operators attempted to resume distribution via other channels, but at a much lower level. Additionally, with both Necurs and Locky resuming activity at the same time, it’s even clearer that the two are tightly connected.
As soon as the Necurs C&Cs came back online, the botnet started to deliver an old Locky sample in the initial spam emails, MalwareTech reveals. The researcher suggests that this happened because the C&Cs are proxy servers for a hidden backend server and that the botnet resumed a previous spam run that was unfinished when the outage occurred. Starting with June 19, the C&C servers have been reliably online, suggesting that the Necurs operators are once again in full control of the botnet.
Researchers at Proofpoint also observed the new multi-million message Locky email campaign and say that it is connected to Necurs’ revival. Moreover, they explain that the Locky sample delivered as part of the new campaign packs a series of anti-sandboxing and evasion techniques that were initially introduced just before the outage.
According to Proofpoint, Locky is now capable of detecting virtual environments by comparing the number of CPU cycles that it takes to execute certain Windows APIs (it takes more cycles in virtualized environments). They also observed that the ransomware is now executed from JavaScript with an argument that is used as part of its runtime obfuscation. The malware also makes the manual analysis of memory dumps more difficult by employing a method of cross-module execution.
Although the new Locky distribution run involved millions of spam messages, the campaign was only 10% the size of campaigns observed before the Necurs outage. The campaign was the largest seen over the past three weeks, but researchers expect even larger runs to pop up soon, and say that some of them will certainly involve Dridex. A second Locky distribution campaign is already ongoing for two days, the researchers say.
Other researchers also noticed that a new Locky spam campaign was underway in the beginning of the week, and that the attackers were using JavaScript to deliver their malicious payload. According to security researcher malcat, the new campaign stood in the crowd because attackers used several layers of obfuscation to ensure that the malicious payload can bypass detection systems.
The attackers went to great lengths to make their code unreadable, and they even heavily obfuscated calls to various objects by making references to them appear as string values assigned to variables. Locky authors also used obfuscation layers such as a character substitution cipher, character removal, XORing, and reversing the file, features that have been recently observed in another piece of malware, Nemucod, the researcher explains.
The same as Nemucod authors, the people behind Locky applied these obfuscation techniques to keep the payload transfer over the network hidden and bypass security solutions capable of analyzing traffic to prevent infections. What’s yet unclear is if there is a connection between Locky and Nemucod, given that both started using this obfuscation method at the same time.
Related: Exploit Kit Activity Down 96% Since April