Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Spam Campaign Distributing Locky Variant Zepto Ransomware

Zepto, supposedly a variant of the well-known Locky ransomware, was recently spotted in a distribution campaign that involved over 100,000 spam messages, Cisco Talos security researchers warn.

Zepto, supposedly a variant of the well-known Locky ransomware, was recently spotted in a distribution campaign that involved over 100,000 spam messages, Cisco Talos security researchers warn.

Spotted for the first time in February, Locky needed only a couple of weeks to become one of the largest threats in the ransomware landscape, but it needed several months to spawn its first successor, it seems. This, however, doesn’t mean that the new piece of malware is less dangerous.

According to Warren Mercer, security researcher for Cisco Talos, the newly spotted campaign started on Monday, June 27, when around 4,000 spam emails were caught by the security firm’s defenses. However, the campaign ramped up fast over the next couple of days, reaching as many as 137,731 emails in as little as 4 days, the researcher explains.

The malware was being distributed via an attached .zip archive, which in turn packed a malicious JavaScript, researchers say. A closer look at the email campaign revealed a total of 3,305 unique samples, each named following the swift [XXX|XXXX].js scheme. In all of these messages, the cybercriminals attempted to lure victims by using various subject lines and various sender profiles, including ‘CEO’ or ‘VP of Sales’.

The body of the message suggested that users should look at their “requested” documentation, and also included mail-merged salutations. Throughout the attack, the email bodies and subject headers changed slightly, the researcher says.

As soon as the victim launched the attachment, the malicious JavaScript was executed. It would leverage wscript.exe to launch HTTP GET requests to a series of predefined command and control (C&C) domains, and Cisco Talos security researchers noticed that some of the samples would initiate connectivity to a single domain, whilst others would communicate with up to 9 domains.

Once executed, the downloaded malicious binary starts encrypting the local files in the background, appends the .zepto extension to them, and then displays a ransom note demanding that users to pay to regain access to their files. The ransom note is displayed both as an HTML file and as a picture, and the computer’s wallpaper is also changed to display the note, as can be seen in the video embedded below.

While the attack vector used by Zepto isn’t new, it clearly is one of the most used in ransomware campaigns, researchers note. The most important aspect of the newly observed campaign, however, is the fact that the new malware has tight connections to Locky: they are both distributed via malicious JS files, both leave behind the same type of files, and have similar ransom notes.             

Advertisement. Scroll to continue reading.

“The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign. Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns,” Mercer concludes.

Since February, Locky has become the largest ransomware threat out there, courtesy of massive spam runs powered by the Necurs botnet. Distribution campaigns were also powered by the Nuclear exploit kit, which was used to serve 110,000 droppers for Locky. Researchers estimated that, if all droppers were successful and half of victims paid, cybercriminals could have made as much as $12,650,000 in these campaigns.

The Locky ransomware, which is supposedly operated by the group behind the Dridex Trojan, has seen numerous updates over the past couple of months as its authors attempted to improve its evasion techniques.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.