Analysis on Locky, a new ransomware passed by email

Analysis on Locky, a new ransomware passed by email

Locky is a new type of ransomware spread through spam, which features similar to Dridex Trojans.
Locky can bypass anti-spam filters (except for other items) and use social engineering techniques to trick users into opening Microsoft Office attachments to emails. Once running, Locky uses RSA-2048 and AES-1024 encryption algorithms to encrypt a large number of files and then asks the victim to pay a ransom to recover his own files.

Pass Locky ransomware through spam
We use oledump to extract macros:
A: word/vbaProject. bin
A1: 533 'project'
A2: 95 'projectwm'
A3: 97 'userform1/\ x01CompObj'
A4: 290 'userform1/\ x03VBFrame'
A5: 131 'userform1/F'
A6: 180 'userform1/o'
A7: M 34196 'vba/lele1'
A8: M 1537 'vba/thisdocument'
A9: m 1336 'vba/UserForm1'
A10: 6917 'vba/_ VBA_PROJECT'
A11: 1391 'vba/_ SRP_0'
A12: 110 'vba/_ SRP_1'
A13: 292 'vba/_ SRP_2'
A14: 103 'vba/_ SRP_3'
A15: 790 'vba/dir'
The. doc file contains embedded macros. Download Locky and infect the host. In this example, the URL is:
Hxxp: // olvikt.freedomain.thehost.com [.] ua/admin/js/7623dh3f.exe
0 × 01 malware details
The malware also provides anti-analysis and anti-Sandbox System protection measures:

Antidebug Function
To collect fingerprints of the system environment, the malware author avoids automated systems by enabling some API functions:

Locky calls API functions
0 × 02 malware Behavior
Locky creates a copy in the following directory:
C: \ Users \ Admin \ AppData \ Local \ Temp \ sysC4E6. tmp
During Infection, Locky creates some registry values:

Registry Value
HKCU \ Software \ Locky \ id: A unique ID assigned to the victim.
HKCU \ Software \ Locky \ pubkey: RSA public key.
HKCU \ Software \ Locky \ paytext: Ransom note text.
HKCU \ Software \ Locky \ completed: Ransom note text.
HKCU \ Control Panel \ Desktop \ Wallpaper
("% UserProfile % \ Desktop \ _Locky_recover_instructions.bmp"): Modify the Desktop wallpaper information to display the ransom:

Locky Wallpaper
Similar to other ransomware, Locky adds text information to hosts with different Tor domain names. Because many users are not familiar with Trojan Files, Locky provides services such as tor2web to help victims access the hidden server more easily.
In the infected environment, we found the TXT file of the ransomware:

Locky ransomware notes
Locky searches for multiple file types and encrypts them:
.Asm,.c,.cpp,.h, .png, txt ,. cs ,. gif ,. jpg ,. rtf ,. xml ,. zip ,. asc ,. pdf ,. rar ,. bat ,. mpeg ,. qcow2 ,. vmdk .tar.bz2 ,. djvu ,. jpeg ,. tiff ,. class ,. java ,. SQLITEDB ,. SQLITE3 ,. lay6 ,. ms11 ,. sldm ,. sldx ,. psms ,. ppsx ,. ppam ,. docb ,. potx ,. potm ,. pptx ,. pptm ,. xltx ,. xltm ,. xlsx ,. xlsm ,. xlsb ,. dotm ,. dotx ,. docm ,. docx, wallet. dat, and so on.
Locky:

Call the VSSADMIN command to delete a copy.
0 × 03 basic Locky Structure
After accessing the hidden Tor website, you will see the following page:

Locky decryption page
If we continue to track the data, we can learn more about the number of users who use payment methods to restore their data:

Locky uses the traditional server infrastructure control and requests the/main. php file:

POST request

Locky tries to communicate with its control server
Locky also has the ability to control the server's domain generation algorithm (DGA. If we analyze the traffic, we can see some request DGA domains:

DNS requests to different control servers
Every day, Locky tries to connect to different DGA domains around the world

0 × 04 contact with Dridex
When we analyzed Locky activities, we found that they and Dridex seem to share some of the same infrastructure. You can read at McAfee Labs