The Locky ransomware analyzes the email transmission process.

The Locky ransomware analyzes the email transmission process.

 

 

Locky is a new type of ransomware spread through spam, which features similar to Dridex Trojans.

Locky can bypass anti-spam filters (except for other items) and use social engineering techniques to trick users into opening Microsoft Office attachments to emails. Once running, Locky uses RSA-2048 and AES-1024 encryption algorithms to encrypt a large number of files and then asks the victim to pay a ransom to recover his own files.

 

Pass Locky ransomware through spam

We use oledump to extract macros:

A: word/vbaProject. bin

A1: 533 'project'

A2: 95 'projectwm'

A3: 97 'userform1/\ x01CompObj'

A4: 290 'userform1/\ x03VBFrame'

A5: 131 'userform1/F'

A6: 180 'userform1/o'

A7: M 34196 'vba/lele1'

A8: M 1537 'vba/thisdocument'

A9: m 1336 'vba/UserForm1'

A10: 6917 'vba/_ VBA_PROJECT'

A11: 1391 'vba/_ SRP_0'

A12: 110 'vba/_ SRP_1'

A13: 292 'vba/_ SRP_2'

A14: 103 'vba/_ SRP_3'

A15: 790 'vba/dir'

The. doc file contains embedded macros. Download Locky and infect the host. In this example, the URL is:

Hxxp: // olvikt.freedomain.thehost.com [.] ua/admin/js/7623dh3f.exe

0 × 01 malware details

The malware also provides anti-analysis and anti-Sandbox System protection measures:

 

Antidebug Function

To collect fingerprints of the system environment, the malware author avoids automated systems by enabling some API functions:

 

Locky calls API functions

0 × 02 malware Behavior

Locky creates a copy in the following directory:

C: \ Users \ Admin \ AppData \ Local \ Temp \ sysC4E6. tmp

During Infection, Locky creates some registry values:

 

Registry Value

HKCU \ Software \ Locky \ id: A unique ID assigned to the victim.

HKCU \ Software \ Locky \ pubkey: RSA public key.

HKCU \ Software \ Locky \ paytext: Ransom note text.

HKCU \ Software \ Locky \ completed: Ransom note text.

HKCU \ Control Panel \ Desktop \ Wallpaper

("% UserProfile % \ Desktop \ _Locky_recover_instructions.bmp"): Modify the Desktop wallpaper information to display the ransom:

 

Locky Wallpaper

Similar to other ransomware, Locky adds text information to hosts with different Tor domain names. Because many users are not familiar with Trojan Files, Locky provides services such as tor2web to help victims access the hidden server more easily.

In the infected environment, we found the TXT file of the ransomware:

 

Locky ransomware notes

Locky searches for multiple file types and encrypts them:

 

.Asm,.c,.cpp,.h, .png, txt ,. cs ,. gif ,. jpg ,. rtf ,. xml ,. zip ,. asc ,. pdf ,. rar ,. bat ,. mpeg ,. qcow2 ,. vmdk .tar.bz2 ,. djvu ,. jpeg ,. tiff ,. class ,. java ,. SQLITEDB ,. SQLITE3 ,. lay6 ,. ms11 ,. sldm ,. sldx ,. psms ,. ppsx ,. ppam ,. docb ,. potx ,. potm ,. pptx ,. pptm ,. xltx ,. xltm ,. xlsx ,. xlsm ,. xlsb ,. dotm ,. dotx ,. docm ,. docx, wallet. dat, and so on.

 

Locky:

 

Call the VSSADMIN command to delete a copy.

0 × 03 basic Locky Structure

After accessing the hidden Tor website, you will see the following page:

 

Locky decryption page

If we continue to track the data, we can learn more about the number of users who use payment methods to restore their data:

 

Locky uses the traditional server infrastructure control and requests the/main. php file:

 

POST request

 

Locky tries to communicate with its control server

Locky also has the ability to control the server's domain generation algorithm (DGA. If we analyze the traffic, we can see some request DGA domains:

 

DNS requests to different control servers

Every day, Locky tries to connect to different DGA domains around the world

 

0 × 04 contact with Dridex

When we analyzed Locky activities, we found that they and Dridex seem to share some of the same infrastructure. You can read at McAfee Labs