Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Locky Ransomware Sheds Downloaders in Favor of JavaScript

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

The ransomware has been using JavaScript attachments for distribution purposes for several months now, but these malicious files were dropping downloaders onto the compromised systems, and not the Locky binary itself. That changed last week, when a new wave of malicious emails began dropping Locky directly.

According to CYREN researchers, the spam emails in this campaign were using subject line “Invoice,” which is pretty standard for malware distribution runs. Furthermore, researchers observed that the same filename format for the attachments used in previous Locky attacks was employed in the new campaign too.

What changed was the size of the attached .ZIP file, which was larger by more than 250KB when compared to previous Locky-associated malicious attachments. The same as before, however, the .ZIP archive contains a JavaScript file that uses the same obfuscation found in the previous Locky downloader script variants.

Loading the JavaScript into an editor “also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods. Even the binary decryption routine is still included in this variant,” CYREN researchers say.

Unlike previous variants, a set of large arrays concatenated together was observed. This large array variable is where the encrypted Locky ransomware binary is stored. Before being executed, the binary is decrypted and saved to disk.

Other malware authors have been embedding their malicious programs into scripts for a long time, so it doesn’t come too much as a surprise that Locky has adopted this technique as well. Previously, however, the ransomware was observed preferring malicious macros in Office documents distributed via large spam runs powered by the Necurs botnet. It also started using JavaScript a while ago, but only to embed the downloader, and was being distributed via Nuclear exploit kit.

The decryption of the binary is signaled by a significant surge in CPU usage coming from wscript.exe. After decryption, the executable is saved in the Temp directory with a filename hardcoded in the JavaScript, albeit seemingly random. The ransomware is then executed with an argument of “321”.

Advertisement. Scroll to continue reading.

This Locky variant appends the .zepto file extension to the encrypted files and it was previously considered a separate ransomware version. According to CYREN researches, the malware authors made only few changes in the ransomware’s code to ensure the use of a new file extension.

As soon as the encryption process has been completed, Locky replaces the desktop background wallpaper with the ransom note and opens the ransom instructions page that it previously dropped on the user’s desktop. The Tor links provided to the victim direct them to the Locky Decryptor page.

“As always, we highly advise end users to avoid opening executable attachments from untrusted sources, and to deploy web gateway security capable of detecting (and stopping) such attacks. Businesses can ultimately contribute to reducing the economic payoff calculation for the cybercriminals and, at the same time, defend their organization,” researchers say.

Related: Locky Ransomware Gets Offline Encryption Capabilities

Related: Decryption Tools Released for Bart, PowerWare Ransomware

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.