Jump to content

New Locky Spam Wave Delivers Entire Ransomware Inside JavaScript File


Batu69

Recommended Posts

Locky ransomware continues to evolve, gets closer to 100% JS

new-locky-spam-wave-delivers-entire-rans

 Jump in spam file attachment size

 

New versions of the Locky ransomware, the variants that are also known as Zepto ransomware, have changed their classic mode of operation and are now relying on more JavaScript code than ever before.

Locky is a ransomware variant that appeared at the start of the year and had constantly evolved. One of the things that remained the same across all these months was its payload, which was a JavaScript file embedded inside a ZIP file, which users received via email.

This file usually contained something that security researchers call a downloader, a malicious component that downloaded the actual Locky ransomware binary and launched it into execution.

Locky devs are embedding the ransomware inside the JS file

According to researchers from Cyren, from July 20, a new wave of Locky infections started delivering the entire ransomware code inside the JavaScript file.

Researchers immediately noted this change because of a jump of the ZIP file's size, which grew from a few KBs to over 250 KB. Opening this JS file from the ZIP archive inside a code editor also shows a lot more code than before.

Researchers say that this code contains the actual Locky binary, which is reconstructed from the JavaScript code and saved on the user's OS when the JS file is executed.

"Embedding malware binaries in scripts has been around for years," Cyren's Maharlito Aquino notes, "so it is not surprising to see Locky making use of this technique in delivering its ransomware component."

Only Locky's Zepto variants showcases this behavior

Once the Locky binary is saved in the user's Temp folder, it is also automatically launched into execution, starting the encryption process that locks the user's files.

Quote

  Note: This doesn't mean that Locky is coded in JavaScript, the binary still being compiled from another programming language, but that instead of using a two-step infection stage, Locky is now delivered directly via the JS file.  

As mentioned above, this particular version appends the .zepto extension at the end of all encrypted files. Some security firms have been tracking this wave of Locky ransomware under a separate name altogether, as the Zepto ransomware.

At the end of June and start of July, Cisco security researchers noticed a huge spam wave (137,731 emails in four days) delivering Locky/Zepto ransomware. That particular wave still used the old ZIP-JS-downloader-Locky infection routine.

Locky also uses DOCM and WSF files as JS alternatives

Cyren has been very diligent at keeping an watchful eye on Locky distribution and infection methods in general.

The company also noted other changes to Locky distribution, but not to Zepto variants. Among these is the usage of DOCM files, an alternative to DOC and DOCX, for infecting users via Word macros.

Additionally, the company also noted the usage of WSF files instead of JavaScript files, with WSF files being essentially another way of packaging and executing JavaScript code.

Article source

 

Link to comment
Share on other sites


  • Views 550
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...