Published on May 30, 2016

Locky Ransomware Shipping With a New Loader

ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper from a compromised website, while in this case the downloaded file is encoded making it harder for traditional protection solutions to spot the incoming threat.

Locky Rigged Email

The spam campaign presents the subject line: New Invoice with the following body:

Dear jean,
I appreciate your speaking with me today. Per our conversation, please find attached invoice.
Please do not hesitate to contact me with any questions you may have. Thank you for your time and consideration.
Hollis Summers
Minerva Neurosciences, Inc
Phone: +1 (267) 351-85-20

The attachment is called and it contains the javascript file which we have analyzed (MD5: 2E747E682BEF95B559AC3F3D14C8B0E4) that presented a 2/57 or 3% detection rate when it was first uploaded.

Locky Downloader JS detection rate
Locky Downloader JS detection rate

Javascript Analysis

For convenience we have created a gist with the original javascript code found inside the zip attachment. The JS script uses two obfuscation layers, the result after the first passage can be found here.
The second layer presents uses lots of variables and function definitions to make the analysis harder:

var MUj = (HCs0 + (function Oa() {
    return CFo;
}()) + Qi, RQo + VTj(KRy) + Hn + LBRHp + JYk9 + JPo);

It is quite hard to understand what’s going on, anyway after deobfuscating the second layer as well, we finally obtain a more understandable code.
We can quickly spot the domains used to download Locky:

Locky Distribution Domains
Locky Distribution Domains

all of them appear to be compromised and used without the legit owner’s knowledge.
The initial download request happens through WinHttp.WinHttpRequest.5.1 instead of the usual MSXML2.XMLHTTP. Inside the do-while loop we can find the script’s part that takes care of downloading, decoding and finally executing Locky’s dropper.
This is the code that checks whether or not the download is still in progress:

if (VFHu.readystate < 4) {

When completed the ResponseBody is saved, for this particular script, in %TEMP%/dEMCTgpxP.exe.
The picture below shows an excerpt of the ResponseBody containing the the encoded file.
After the file has been saved to disk a decoding function is executed to decrypt the file before running it.

Locky payload decoding
Locky payload decoding

JFSHm is the function responsible for reading the file content and for building an array that is decoded using ZUe, another array, as an S-Box. The array returned by the JFSHm function is passed to the NWAq5 function. The body of this function uses the following decoding scheme:

  1. The first 4 items are removed from the array at a position that equals to Bp size.
  2. The array obtained in the previous step is reversed.
  3. Finally a xor decryption with a dynamic key is applied.

Locky Payload Decryption
Locky Payload Decryption

Apparently Locky’s authors are moving towards a more encryption-based approach that appears to be still immature, but nevertheless effective to avoid detection.
After these steps have been completed the script makes a few sanity checks: the size of the manipulated array must not be lower than 153600 bytes and not bigger than 179200 bytes, also a valid MZ signature must be present. At this point the decoded content goes through another substitution phase, applied by the KGa function, before being written to disk.

Locky last substitution stage
Locky last substitution stage

Finally 123 is passed as an argument to the decoded file that is about to be launched. Without this parameter the dropper is unable to perform the unpacking process and to get the payload running. (MD5: 3A0AA8730FA9B0E71C23FF2921597B84).
At upload time the detection rate was 13/55 or just 23%.

Payload Detection Rate
Locky new loader payload detection rate

Compromised Domains

This is the list of compromised domains we have retrieved while tracking this campaign: xyvg0g ttfzuba xbyemr78 3aoopl3 94nyc sbee4fy j0vyirf ppw5p 5uenput 362wz qhg1i ztbk7y1 1ywwhsx o9x0720h fgj69p o6077arl nu7pd mvmaas u6gcc5ux rd0j2w 1iaqn nm1aticp dfied k6urzuq gfwdo0c jilh5cck ceup52n 9wt3fn x147vd wzmgallo 362wz o62sz lufy0


The cat and mouse game between ransomware and protection solutions is still raging, with ransomware authors adopting slightly more sophisticated techniques that, according to detection rates, are proving to be successful. Ransomware, despite their intrinsic simplicity, remain a feared threat that is proving to be hard to contain for small companies to big corporations alike. If your company has been hit by a ransomware and you’re looking for a proven and effective ransomware protection, you might want to check out ReaQta-core.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!