Locky, Three Ways

Locky, one of the first and most resilient ‘mass distribution’ ransomware families has roared back after a brief break. Throughout August, Locky campaigns have filled our inboxes with fraudulent invoices that need paying, images that need opening, and voicemails that need listening. These recent campaigns are notable not only for their volume, but the multiple delivery methods within a single distribution run. On August 17, Locky arrived en masse with three different infection methods that all led to Locky’s Lukitus variant. While infection vectors frequently change from run to run, intra-campaign shuffling is extremely rare.

Locky Feed.png

Our feed on the day of the run, all received within a second, all different, and all Locky

Locky – Macro’d in a Doc base

The first, and most fleshed out lure in this Locky run came in the form of a Microsoft Word document with malicious macros. The potential victim received a poorly worded email urging them to open the attachment to clear up “invoices outstanding.”

Locky Figure 1.png

Figure 1: Screen shot of lure email

If opened, the victim finds a completely blank document and a request to enable macros. The macro then reaches out to a site hosting the second stage payload, downloads it, and executes on the victim’s machine.

Locky Figure 2.png

Figure 2: VirusTotal detections of macro-dropped Locky executable

Locky – RAR Reduction

Next, in order of Lure complexity, the threat actors served up a VBS script compressed in a RAR file and attached to a short email, labeling it a “Voice Message.”

Locky Figure 3.png

Figure 3: Body of lure email with attached RAR

The RAR, predictably, does not contain a voice message or even an audio file, but a Visual Basic script. When the script is opened it reaches out to an infected website hosting the second stage payload. In this case, Zilipendwaradio.org, a site which at one time would presumably broadcast Tanzanian Swahili language songs from the 60s and 70s.

Locky Figure 4.png

Figure 4: Link to compromised website inside VB Script

This executable then completes the malicious encryption and leaves you with a computer filled with files ending in “.lukitus” and filled with gibberish.

Locky Figure 5.png

Figure 5: VirusTotal detections of VBScript delivered executable

Locky – 7Zipped Javascript

Finally, Locky was distributed through zipped JavaScript files. With this version, the lure email contained no email body and the subject and filename consisted of SCAN, IMG, or JPG followed by a short random string of numbers. When unzipped, the malicious attachment reveals a short JavaScript which, like the macro and VBS, grabs an executable from a compromised website.

Locky Figure 6.png

Figure 6: VirusTotal detections of JS delivered Locky

Conclusion

So three different lure email patterns, three different attachment types, and three different executables all lead to one screen. 

Figure 7: Locky variant ‘Lukitus’ dropped ransom note

None of the three infection vectors were novel. In fact, zipped scripts and Office document macros are the most prevalent methods of email-based malicious payload delivery. There are several possible explanations for the unusual activity. The threat actors may have been experimenting with delivery methods to find what resulted in the most successful encryptions or using the multiple file types to overwhelm researchers and responders with indicators of compromise. Either way, this multiple method attack has not been repeated this month as Locky appears to have settled on compressed VBScripts as the preferred infection vector.

Interested in a deep-dive on ransomware? Watch the recorded webcast The Ransomware Explosion.

Watch the On-Demand Webcast

 

Article Link: https://info.phishlabs.com/blog/locky-three-ways