With it being flu season, no one wants to hear that a new strain of the flu has been discovered. Just as network defenders will not be excited that Locky ransomware has evolved yet again. This time however, threat actors decided to add a darker theme to code.
On October 11, 2017, threat actors sent multiple phishing emails with financial themed subjects, although these do not appear to be targeted. Embedded in the body of the message was a .7z archive encoded in base64 containing a malicious VBScript that delivers Locky or Trickbot based on the location of the host. This is not unlike the previous Locky attacks we have seen however, the variant is in what occurs if the VBscript is able to successfully deliver its payloads. Upon successful completion of the script, the payload URL, Windows Host OS version and a unique identifier number are then sent back to a separate command and control server.
Figure 1 – POST request to the C&C server informing the threat actor of a successful infection
In addition to the new reporting feature added to the script, the attackers also used multiple pop culture references to name the functions, including inserted snippets of open source code from the video game, Cobalt. This was likely an attempt to defeat heuristic scanning of the code.
Once Locky has been deployed, it quickly goes to work encrypting files with the .asasin extension. It attempts to obfuscate itself by masquerading as Canon© PageComposer while it runs in the current user’s Temp directory. After it has successfully encrypted your files, it displays the infamous Locky ransom message.
Figure 2 – Locky ransom note is displayed after the files have been encrypted
With the threat landscape constantly evolving, analysts and network defenders must employ both their skills and advanced technology to overcome adversaries. In the Phishing Defense Center, our threat analysts were able to quickly discover and escalate this threat for in depth analysis thanks to the visibility provided by PhishMe Triage™.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.