locky New Locky Ransomware Version Delivered as DLL File

[vissha]

New Locky Ransomware Version Delivered as DLL File

 

 

Locky switches EXE binaries for DLL files

 

Quote

The criminal group behind the Locky ransomware has updated their malware, and newer versions of this threat are being installed disguised as DLL files, instead of the classic EXE binaries.

 

The Locky ransomware has morphed more than any other ransomware active today. The reason behind this is because the malware was created and developed by the same group that created the Dridex banking trojan, who also owns one of the most active botnets on the Internet.

 

As such, resources are never scarce with this group, who have both the money, time, and knowledge to evolve their ransomware with new techniques at regular intervals, in order to avoid security software and keep security researchers on their toes.

 

Locky experiments with DLLs instead of EXEs

 

The latest of this change is an update to how Locky reaches its victims and how the encryption process starts.

 

According to cyber-security vendor Cyren, recent Locky versions drop DLL files on infected computers, instead of EXE files. The rest of the infection chain remains as we know it.

 

Locky reaches victims via spam messages that have a ZIP file attached to the email body. Unzipping this ZIP drops a JavaScript file, which when executed downloads the DLL file (instead of the classic EXE).

 

This file is injected into a process, and its malicious code executed, which starts the file encryption operation. Another new feature is that this DLL file uses a custom packer to prevent anti-malware scanners to easily detect it.

 

This version locks files and appends the .zepto extension at the end, meaning this a version of the Zepto ransomware, another name for Locky, but still the Locky ransomware.

 

Locky has suffered many changes

 

In the past, Locky has suffered many other mutations. Some have lasted, some not.

 

For example, Locky spam using Office documents and WSF files instead of ZIP & JS files has gone up. Other versions have used websites with vulnerable PHP forms to send the email spam, instead of the classic botnets used by the Dridex gang.

 

Towards the end of July, Locky experimented with embedding the entire ransomware binary in the JS file and then reconstructing the EXE file when executing the JS file, instead of downloading it from an online server.

 

Another version also added support for working without an Internet connection, even if it featured a weaker encryption method.

 

It's these constant updates that have kept Locky one step ahead of security researchers, and that's why a decrypter has never been created for Locky until now.

 

Source

[straycat19]

Additional Information

Locky / Zepto Ransomware now being installed from a DLL

 

Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.

Locky is still being distributed via JS attachments, which when executed will download an encrypted version of the executable. Once the payload is decrypted to a DLL file it will run it using the following command:

"C:\Windows\System32\rundll32.exe" C:\Users\User\AppData\Local\Temp\MFJY1A~1.DLL,qwerty 323

You can see the DLL being executed by rundll32.exe in the image below.

 

Locky executing via  DLL

Other than installing Locky via a DLL, nothing else has changed. It is still appending Zepto to the end of encrypted files and generating the same ransom notes. I am unsure what file extensions were previously being targeted, but the current extensions are:

.aes,.apk,.ARC,.asc,.asf,.asm,.asp,.asset,.avi,.bak,.bat,.bik,.bmp,.brd,.bsa,.cgm,.class,.cmd,.cpp,.crt,.csr,.CSV,.d3dbsp,.das,.dbf,.dch,.dif,
.dip,.djv,.djvu,.DOC,.docb,.docm,.docx,.DOT,.dotm,.dotx,.fla,.flv,.forge,.frm,.gif,.gpg,.hwp,.ibd,.iwi,.jar,.java,.jpeg,.jpg,.key,.lay,.lay6,
.lbf,.ldf,.litemod,.litesql,.ltx,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mpeg,.mpg,.ms11 (Security copy),.MYD,.MYI,.NEF,.odb,.odg,.odp,.ods,.odt,
.onetoc2,.otg,.otp,.ots,.ott,.PAQ,.pas,.pdf,.pem,.php,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.PPT,.pptm,.pptx,.psd,.pst,.qcow2,.rar,.raw,
.RTF,.sav,.sch,.sldm,.sldx,.slk,.sql,.SQLITE3,.SQLITEDB,.stc,.std,.sti,.stw,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tar.bz2,.tbk,.tgz,.tif,
.tiff,.txt,.uop,.uot,.upk,.vbs,.vdi,.vmdk,.vmx,.vob,.wallet,.wav,.wks,.wma,.wmv,.xlc,.xlm,.XLS,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.xml,.zip

 

Source