Batu69 Posted July 27, 2016 Share Posted July 27, 2016 Locky ransomware continues to evolve, gets closer to 100% JS Jump in spam file attachment size New versions of the Locky ransomware, the variants that are also known as Zepto ransomware, have changed their classic mode of operation and are now relying on more JavaScript code than ever before. Locky is a ransomware variant that appeared at the start of the year and had constantly evolved. One of the things that remained the same across all these months was its payload, which was a JavaScript file embedded inside a ZIP file, which users received via email. This file usually contained something that security researchers call a downloader, a malicious component that downloaded the actual Locky ransomware binary and launched it into execution. Locky devs are embedding the ransomware inside the JS file According to researchers from Cyren, from July 20, a new wave of Locky infections started delivering the entire ransomware code inside the JavaScript file. Researchers immediately noted this change because of a jump of the ZIP file's size, which grew from a few KBs to over 250 KB. Opening this JS file from the ZIP archive inside a code editor also shows a lot more code than before. Researchers say that this code contains the actual Locky binary, which is reconstructed from the JavaScript code and saved on the user's OS when the JS file is executed. "Embedding malware binaries in scripts has been around for years," Cyren's Maharlito Aquino notes, "so it is not surprising to see Locky making use of this technique in delivering its ransomware component." Only Locky's Zepto variants showcases this behavior Once the Locky binary is saved in the user's Temp folder, it is also automatically launched into execution, starting the encryption process that locks the user's files. Quote “ Note: This doesn't mean that Locky is coded in JavaScript, the binary still being compiled from another programming language, but that instead of using a two-step infection stage, Locky is now delivered directly via the JS file. ” As mentioned above, this particular version appends the .zepto extension at the end of all encrypted files. Some security firms have been tracking this wave of Locky ransomware under a separate name altogether, as the Zepto ransomware. At the end of June and start of July, Cisco security researchers noticed a huge spam wave (137,731 emails in four days) delivering Locky/Zepto ransomware. That particular wave still used the old ZIP-JS-downloader-Locky infection routine. Locky also uses DOCM and WSF files as JS alternatives Cyren has been very diligent at keeping an watchful eye on Locky distribution and infection methods in general. The company also noted other changes to Locky distribution, but not to Zepto variants. Among these is the usage of DOCM files, an alternative to DOC and DOCX, for infecting users via Word macros. Additionally, the company also noted the usage of WSF files instead of JavaScript files, with WSF files being essentially another way of packaging and executing JavaScript code. Article source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.