Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Locky Ransomware Sheds Downloaders in Favor of JavaScript

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

The ransomware has been using JavaScript attachments for distribution purposes for several months now, but these malicious files were dropping downloaders onto the compromised systems, and not the Locky binary itself. That changed last week, when a new wave of malicious emails began dropping Locky directly.

According to CYREN researchers, the spam emails in this campaign were using subject line “Invoice,” which is pretty standard for malware distribution runs. Furthermore, researchers observed that the same filename format for the attachments used in previous Locky attacks was employed in the new campaign too.

What changed was the size of the attached .ZIP file, which was larger by more than 250KB when compared to previous Locky-associated malicious attachments. The same as before, however, the .ZIP archive contains a JavaScript file that uses the same obfuscation found in the previous Locky downloader script variants.

Loading the JavaScript into an editor “also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods. Even the binary decryption routine is still included in this variant,” CYREN researchers say.

Unlike previous variants, a set of large arrays concatenated together was observed. This large array variable is where the encrypted Locky ransomware binary is stored. Before being executed, the binary is decrypted and saved to disk.

Other malware authors have been embedding their malicious programs into scripts for a long time, so it doesn’t come too much as a surprise that Locky has adopted this technique as well. Previously, however, the ransomware was observed preferring malicious macros in Office documents distributed via large spam runs powered by the Necurs botnet. It also started using JavaScript a while ago, but only to embed the downloader, and was being distributed via Nuclear exploit kit.

The decryption of the binary is signaled by a significant surge in CPU usage coming from wscript.exe. After decryption, the executable is saved in the Temp directory with a filename hardcoded in the JavaScript, albeit seemingly random. The ransomware is then executed with an argument of “321”.

Advertisement. Scroll to continue reading.

This Locky variant appends the .zepto file extension to the encrypted files and it was previously considered a separate ransomware version. According to CYREN researches, the malware authors made only few changes in the ransomware’s code to ensure the use of a new file extension.

As soon as the encryption process has been completed, Locky replaces the desktop background wallpaper with the ransom note and opens the ransom instructions page that it previously dropped on the user’s desktop. The Tor links provided to the victim direct them to the Locky Decryptor page.

“As always, we highly advise end users to avoid opening executable attachments from untrusted sources, and to deploy web gateway security capable of detecting (and stopping) such attacks. Businesses can ultimately contribute to reducing the economic payoff calculation for the cybercriminals and, at the same time, defend their organization,” researchers say.

Related: Locky Ransomware Gets Offline Encryption Capabilities

Related: Decryption Tools Released for Bart, PowerWare Ransomware

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cybersecurity firm Absolute Security announced Harold Rivas as its new CISO.

Simon Forster has been named the new General Manager of DNS security firm Quad9.

Cybersecurity training company Immersive has named Mark Schmitz as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.