CYREN Blog

 

Locky Adds New File Format and Attacks UK

by Maharlito Aquino

Filed under Malware Analysis, Ransomware.

Cyren caught a new Locky email spam campaign today which uses a new tactic, delivering the Locky downloader script component as an HTML application, specifically HTA files. The emails are disguised as voice message notifications sent by Peach Telecom, which suggests that the campaign is targeting users in the UK.



 

HTA files are loaded by the system using the program MSHTA.exe, and are executed by instantiating the Internet Explorer rendering engine (MSHTML) along with the required script engines such as jscript.dll and vbscript.dll.

Opening the HTA file in a text editor shows use of the JScript language, which is used in most of the Locky campaigns. Cyren detects this downloader script variant as JS/Locky.AY.

 

Deobfuscating part of the code shows a decryption code structure similar to what we saw in the previous Locky samples we have analyzed.

 

Each sample has at least four URLs from which it tries to download, and as usual the downloader script decrypts before executing.

Similar to the variant we reported last week, the decrypted ransomware component is a DLL file and is loaded using rundll32.exe. We also observed that it no longer uses a code parameter along with the called export function.

CYREN detects the decrypted DLL as W32/Locky.IA.

And just like the previously reported variant, this ransomware component finds and encrypts files in the affected system, renaming the files and appending the string ".zepto" as the file extension.

Listed below are the files which are searched for and encrypted by this variant.

.n64 .ltx .gif .c .lay .xltx .pdf
.m4a .litesql .raw .php .ms11 (Security copy) .xltm .XLS
.m4u .litemod .cgm .ldf .ms11 .xlsx .PPT
.m3u .lbf .jpeg .mdf .sldm .xlsm .stw
.mid .iwi .jpg .ibd .sldx .xlsb .sxw
.wma .forge .tif .MYI .ppsm .slk .ott
.flv .das .tiff .MYD .ppsx .xlw .odt
.3g2 .d3dbsp .NEF .frm .ppam .xlt .DOC
.mkv .bsa .psd .odb .docb .xlm .pem
.3gp .bik .cmd .dbf .mml .xlc .p12
.mp4 .asset .bat .db .sxm .dif .csr
.mov .apk .sh .mdb .otg .stc .crt
.avi .gpg .class .sql .odg .sxc .key
.asf .aes .jar .SQLITEDB .uop .ots wallet.dat
.mpeg .ARC .java .SQLITE3 .potx .ods  
.vob .PAQ .rb .011 .potm .hwp  
.mpg .tar.bz2 .asp .010 .pptx .602  
.wmv .tbk .cs .009 .pptm .dotm  
.fla .bak .brd .008 .std .dotx  
.swf .tar .sch .007 .sxd .docm  
.wav .tgz .dch .006 .pot .docx  
.mp3 .gz .dip .005 .pps .DOT  
.qcow2 .7z .pl .004 .sti .3dm  
.vdi .rar .vbs .003 .sxi .max  
.vmdk .zip .vb .002 .otp .3ds  
.vmx .djv .js .001 .odp .xml  
.wallet .djvu .h .pst .wb2 .txt  
.upk .svg .asm .onetoc2 .123 .CSV  
.sav .bmp .pas .asc .wks .uot  
.re4 .png .cpp .lay6 .wk1 .RTF  

After encrypting the files, the desktop wallpaper is replaced with the ransom instructions and the ransom instructions page is loaded.

 

Clicking on the tor links redirects the users to the Locky decryptor page.

 

While reviewing the domains of the download URL's, we found one particular domain, which was recently created and was registered using the email galicole@mail.com.

WhoIs Info

Domain Name: HOTCARSHHHS6632.COM 
Registry Domain ID: 2056315296_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2016-08-31T09:34:43Z
Creation Date: 2016-08-31T09:34:42Z
Registrar Registration Expiration Date: 2017-08-31T09:34:42Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
:
:
:
Registrant Email: galicole@mail.com

This registrant email has a history of registering domains for the binary payload of Locky Ransomware in August:

rejoincomp2.in
tryfriedpot.co.in

File Hashes

EML    1df85dba3870318dbecc9dc6cb7a3d49e61bf2a89eeb28b2e4c5dce824bd55e7
HTA    36a2055152cb61411d1275fc53cd659a72e66399f59a312013edcfa4cecd9bfd
DLL    ed8965e9834248a177fd0062149410c63c612d68518aff31b35eb58a33b6ce59

URLs being used

hxxp://portadeenrolar.ind.br/jtfinwo?OIxbvVT=NWocFL
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?rQrPsyExOz=ethvMq
hxxp://fingermousedesign.co.uk/ctkvyio?rQrPsyExOz=ethvMq
hxxp://www.primaria-adamclisi.go.ro/ueeldwe?nPPrVCPinPp=zrdPHU
hxxp://www.trade-centrum.eu/ibghgdp?scYkAI=uRPKpwONAus
hxxp://209.41.183.242/adjxlax?scYkAI=uRPKpwONAus
hxxp://wapnn.vov.ru/ummvyia?XCmHOiPueIj=TEqUHJAH
hxxp://albertowe.cba.pl/rejsill?xDVbhWSzARn=QFdSrnvoQsS
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?XCmHOiPueIj=TEqUHJAH
hxxp://www.association-julescatoire.fr/yjqhgff?XCmHOiPueIj=TEqUHJAH
hxxp://www.alpstaxi.co.jp/therodk?IKmacGFG=ddrSDzk
hxxp://yggithuq.utawebhost.at/opdcrhh?OIxbvVT=NWocFL
hxxp://www.trauchgauer-weihnachtsmarkt.de/frcmmhv?IKmacGFG=ddrSDzk
hxxp://www.dietmar-bernhard.de/rthvkws?nPPrVCPinPp=zrdPHU
hxxp://www.ediazahar.com/mllpeqd?xDVbhWSzARn=QFdSrnvoQsS
hxxp://pennylanecupcakes.com.au/lfigasv?UlXIkkwe=kIkGHdxeh
hxxp://www.btb-bike.de/psoexes?UlXIkkwe=kIkGHdxeh
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?OIxbvVT=NWocFL
hxxp://pennylanecupcakes.com.au/lfigasv?OIxbvVT=NWocFL
hxxp://www.rioual.com/bddoxvg?UlXIkkwe=kIkGHdxeh
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?nPPrVCPinPp=zrdPHU
hxxp://www.trauchgauer-weihnachtsmarkt.de/frcmmhv?XCmHOiPueIj=TEqUHJAH
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?xDVbhWSzARn=QFdSrnvoQsS
hxxp://wapnn.vov.ru/ummvyia?IKmacGFG=ddrSDzk
hxxp://www.trade-centrum.eu/ibghgdp?rQrPsyExOz=ethvMq
hxxp://www.btb-bike.de/psoexes?xDVbhWSzARn=QFdSrnvoQsS
hxxp://ajedrezimprov.50webs.com/yfotxbo?nPPrVCPinPp=zrdPHU
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?UlXIkkwe=kIkGHdxeh
hxxp://www.primaria-adamclisi.go.ro/ueeldwe?scYkAI=uRPKpwONAus
hxxp://portadeenrolar.ind.br/jtfinwo?rQrPsyExOz=ethvMq
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?scYkAI=uRPKpwONAus
hxxp://hotcarshhhs6632.com/js/76g78uf4sw?IKmacGFG=ddrSDzk

 

To get further up to speed on Locky, download Cyren's special threat report:

We also previously reported our detection of key changes in Locky's methods on: