ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper from a compromised website, while in this case the downloaded file is encoded making it harder for traditional protection solutions to spot the incoming threat.
Locky Rigged Email
The spam campaign presents the subject line: New Invoice with the following body:
Dear jean,
I appreciate your speaking with me today. Per our conversation, please find attached invoice.
Please do not hesitate to contact me with any questions you may have. Thank you for your time and consideration.
Sincerely,
Hollis Summers
Minerva Neurosciences, Inc
Phone: +1 (267) 351-85-20
The attachment is called INVOICE_jean.zip and it contains the javascript file which we have analyzed (MD5: 2E747E682BEF95B559AC3F3D14C8B0E4) that presented a 2/57 or 3% detection rate when it was first uploaded.
Javascript Analysis
For convenience we have created a gist with the original javascript code found inside the zip attachment. The JS script uses two obfuscation layers, the result after the first passage can be found here.
The second layer presents uses lots of variables and function definitions to make the analysis harder:
var MUj = (HCs0 + (function Oa() { return CFo; }()) + Qi, RQo + VTj(KRy) + Hn + LBRHp + JYk9 + JPo);
It is quite hard to understand what’s going on, anyway after deobfuscating the second layer as well, we finally obtain a more understandable code.
We can quickly spot the domains used to download Locky:
all of them appear to be compromised and used without the legit owner’s knowledge.
The initial download request happens through WinHttp.WinHttpRequest.5.1 instead of the usual MSXML2.XMLHTTP. Inside the do-while loop we can find the script’s part that takes care of downloading, decoding and finally executing Locky’s dropper.
This is the code that checks whether or not the download is still in progress:
if (VFHu.readystate < 4) { WScript.Sleep(100); continue;
When completed the ResponseBody is saved, for this particular script, in %TEMP%/dEMCTgpxP.exe.
The picture below shows an excerpt of the ResponseBody containing the the encoded file.
After the file has been saved to disk a decoding function is executed to decrypt the file before running it.
JFSHm is the function responsible for reading the file content and for building an array that is decoded using ZUe, another array, as an S-Box. The array returned by the JFSHm function is passed to the NWAq5 function. The body of this function uses the following decoding scheme:
- The first 4 items are removed from the array at a position that equals to Bp size.
- The array obtained in the previous step is reversed.
- Finally a xor decryption with a dynamic key is applied.
Apparently Locky’s authors are moving towards a more encryption-based approach that appears to be still immature, but nevertheless effective to avoid detection.
After these steps have been completed the script makes a few sanity checks: the size of the manipulated array must not be lower than 153600 bytes and not bigger than 179200 bytes, also a valid MZ signature must be present. At this point the decoded content goes through another substitution phase, applied by the KGa function, before being written to disk.
Finally 123 is passed as an argument to the decoded file that is about to be launched. Without this parameter the dropper is unable to perform the unpacking process and to get the payload running. (MD5: 3A0AA8730FA9B0E71C23FF2921597B84).
At upload time the detection rate was 13/55 or just 23%.
Compromised Domains
This is the list of compromised domains we have retrieved while tracking this campaign:
80.244.134.169/ xyvg0g 933666.net/ ttfzuba asliaypak.com/ xbyemr78 bani-shehr.org/ 3aoopl3 compa.me/ 94nyc dermadom.com.mx/ sbee4fy gkabiye.com/ j0vyirf haiphongict.com/ ppw5p heavenboundministry.com/ 5uenput iminlife.com/ 362wz indianflowers.org/ qhg1i infobroadband.com/ ztbk7y1 jade-palace.com/ 1ywwhsx mvfashionoutlet.com/ o9x0720h mybootstore.com/ fgj69p officeconnectme.com/ o6077arl qasralawani.com/ nu7pd rasberrie.com/ mvmaas risefallsinkswim.com/ u6gcc5ux romantikbutik.com/ rd0j2w sevvalsenturk.com/ 1iaqn shoopinghere.com/ nm1aticp shopapm.com/ dfied shubhkamnaye.in/ k6urzuq smoochintimates.com.au/ gfwdo0c sportsandwine.com.au/ jilh5cck temadanismanlik.net/ ceup52n theguildedquill.com/ 9wt3fn u-flats.com/ x147vd wbksis.com/ wzmgallo www.iminlife.com/ 362wz www.nirmallifeline.com/ o62sz www.sportskart.co/ lufy0
Conclusion
The cat and mouse game between ransomware and protection solutions is still raging, with ransomware authors adopting slightly more sophisticated techniques that, according to detection rates, are proving to be successful. Ransomware, despite their intrinsic simplicity, remain a feared threat that is proving to be hard to contain for small companies to big corporations alike. If your company has been hit by a ransomware and you’re looking for a proven and effective ransomware protection, you might want to check out ReaQta-core.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!
ReaQta