Security Experts:

Locky Ransomware Sheds Downloaders in Favor of JavaScript

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

The ransomware has been using JavaScript attachments for distribution purposes for several months now, but these malicious files were dropping downloaders onto the compromised systems, and not the Locky binary itself. That changed last week, when a new wave of malicious emails began dropping Locky directly.

According to CYREN researchers, the spam emails in this campaign were using subject line “Invoice,” which is pretty standard for malware distribution runs. Furthermore, researchers observed that the same filename format for the attachments used in previous Locky attacks was employed in the new campaign too.

What changed was the size of the attached .ZIP file, which was larger by more than 250KB when compared to previous Locky-associated malicious attachments. The same as before, however, the .ZIP archive contains a JavaScript file that uses the same obfuscation found in the previous Locky downloader script variants.

Loading the JavaScript into an editor “also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods. Even the binary decryption routine is still included in this variant,” CYREN researchers say.

Unlike previous variants, a set of large arrays concatenated together was observed. This large array variable is where the encrypted Locky ransomware binary is stored. Before being executed, the binary is decrypted and saved to disk.

Other malware authors have been embedding their malicious programs into scripts for a long time, so it doesn’t come too much as a surprise that Locky has adopted this technique as well. Previously, however, the ransomware was observed preferring malicious macros in Office documents distributed via large spam runs powered by the Necurs botnet. It also started using JavaScript a while ago, but only to embed the downloader, and was being distributed via Nuclear exploit kit.

The decryption of the binary is signaled by a significant surge in CPU usage coming from wscript.exe. After decryption, the executable is saved in the Temp directory with a filename hardcoded in the JavaScript, albeit seemingly random. The ransomware is then executed with an argument of “321”.

This Locky variant appends the .zepto file extension to the encrypted files and it was previously considered a separate ransomware version. According to CYREN researches, the malware authors made only few changes in the ransomware’s code to ensure the use of a new file extension.

As soon as the encryption process has been completed, Locky replaces the desktop background wallpaper with the ransom note and opens the ransom instructions page that it previously dropped on the user's desktop. The Tor links provided to the victim direct them to the Locky Decryptor page.

“As always, we highly advise end users to avoid opening executable attachments from untrusted sources, and to deploy web gateway security capable of detecting (and stopping) such attacks. Businesses can ultimately contribute to reducing the economic payoff calculation for the cybercriminals and, at the same time, defend their organization,” researchers say.

Related: Locky Ransomware Gets Offline Encryption Capabilities

Related: Decryption Tools Released for Bart, PowerWare Ransomware

view counter