Locky is a new ransomware threat being spread via spam campaigns. This new malware has capabilities similar to those of Dridex.
Locky arrives in a Microsoft Office email attachment that evades antispam filters (among other things) and attempts to trick users via social engineering into opening the attachment. Once running, Locky encrypts numerous files using RSA-2048 and AES-1024 encryption, and then demands that its victims pay a ransom to restore their files.
Spam email delivering Locky ransomware.
We used oledump to extract the macro:
A: word/vbaProject.bin
A1: 533 ‘PROJECT’
A2: 95 ‘PROJECTwm’
A3: 97 ‘UserForm1/x01CompObj’
A4: 290 ‘UserForm1/x03VBFrame’
A5: 131 ‘UserForm1/f’
A6: 180 ‘UserForm1/o’
A7: M 34196 ‘VBA/Module1’
A8: M 1537 ‘VBA/ThisDocument’
A9: m 1336 ‘VBA/UserForm1’
A10: 6917 ‘VBA/_VBA_PROJECT’
A11: 1391 ‘VBA/__SRP_0’
A12: 110 ‘VBA/__SRP_1’
A13: 292 ‘VBA/__SRP_2’
A14: 103 ‘VBA/__SRP_3’
A15: 790 ‘VBA/dir’
The .doc file contains some embedded macros to download Locky and infect the machine. In this case, the URL was:
- hxxp://olvikt.freedomain.thehost.com[.]ua/admin/js/7623dh3f.exe
Malware details
The malware has some protections against researchers and sandbox systems:
Antidebug functions.
To fingerprint the environment, the author implemented some API calls to evade automatic systems:
API calls requested by Locky.
Malware behavior
Locky creates a copy of itself in the follow directory:
- C:UsersAdminAppDataLocalTempsysC4E6.tmp
During the infection, Locky creates some registry keys:
Registry keys.
- HKCUSoftwareLockyid: A unique ID assigned to the victim.
- HKCUSoftwareLockypubkey: RSA public key.
- HKCUSoftwareLockypaytext: Ransom note text.
- HKCUSoftwareLockycompleted: Ransom note text.
- HKCUControl PanelDesktopWallpaper (“%UserProfile%Desktop_Locky_recover_instructions.bmp”): Changing the wallpaper to show the ransom demand.
Locky wallpaper.
In a way similar to other ransomware families, Locky hosts additional ransom notes on various Tor domains. Because many users are unfamiliar with Tor, Locky helps its victims by providing instructions on how to use services such as tor2web, which makes it easier to access the hidden service.
On the infected machine we also find the .txt file with the ransom note:
Locky ransom note.
Locky searches for many file types to encrypt:
.asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc. |
Locky also eliminates any shadow copies:
Vssadmin command to delete shadow copies.
Locky infrastructure
After accessing the hidden Tor site, users see the following page:
Locky decryption page.
If we track the wallet, we get an insight into how many users have paid to recover their data:
Locky uses traditional control server infrastructure, and request a /main.php file:
POST requests.
Locky trying to communicate with its control server.
Locky also has domain generation algorithm (DGA) capabilities for the control server infrastructure. If we analyze the traffic, we can see requests to some DGA domains:
DNS requests to different control servers.
Every day, Locky tries to connect to different DGA domains around the world:
Locations of Locky DGA domains.
Connection with Dridex
During our analysis of some Locky campaigns, we noticed that they appear to share the same infrastructure as Dridex.
You can read more about Locky in this McAfee Labs Threat Advisory.
Indicators of compromise
A partial list of Locky hashes detected by McAfee Labs:
- d4dc820457bbc557b14ec0e58358646afbba70f4d5cab2276cdac8ce631a3854
- d159fe802f509b67d319ea916cc6a052035a0c0f4412406b6b78d7db4d4035fc
- 5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
- 40f62d6dfa7d2429c8e1085f1460907d82cc6a48399038c07bdc5b38792f75b3
- bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
- 0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
- 4725019fb0a4574d1ad42bfa481ba1992002fe60811829a89955b3e538611123
- 85e6adb499916a6557b2beebcf44f0872908a2d2705058bfacc9d7bc4c5bc43e
- e720f917cd8a02b0372b85068844e132c42ea2c97061b81d378b5a73f9344003
- 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
- d4ff4b73d7e89f80d78239a349c0197022c9d9306e5b59fdb71894040bc36489
- 48a84c3ecf57ffdb474f61edb43634c32663be2466e4c489ec11e029fc70c042
- acee75cd346795ceb02fc30aa822d13c4132e64fd36b5244dd822199a5a0c0a7
- 976059c030c256db4a22d0fcbf2372cc3320877025154b5efeb3f7a1a26b1774
- 8fa81c2bce89adcb1cc246761775ebbf29cbc444be78c7a58a465f76f1cdf6c8
- 2cbf3ac4f304fa711e23d6a8a762451b7b06550d56b7bd688d4c6d1bee9984db
- 02b00f7615e1fd9091d947dad00dfe60528d9015b694374df2b5525ea6dd1301
- 77d66d710acddbe66a4f88b9db8775466a35948bad8716c188490ae0aca9a2f9
- 2a40da48c9dc3e20bc6e30c986306ceccbc2d8be55b355b7a73d95c1a54319a4
- 8842974b86c6101a5bbb18dc16dea293e4eb7a9656dbee241ecce7a677d2cdfc
- 4fd7543247c1f7f2fb5d1c7f99b52ad0a41fb07aa9f388c46a6c5920a848c19a
- eb4d53a92e703d075787cebd97e06d1427d230f4872052a20f5d2f508fe1f663
- 56fc23c1eb3c4ea5f9f7911d8bfa0af6df762eb6e22d002ddad562568606acc0
- 3402902877ddfa71190745690048f6a6b77b9999083305b6fea52b0dfe03bec8
- 68244d5204518ab8b7f3564577b2bcc98c8fe0ea0aee39aa5518ffb5cf2689dc
- a588eb64872257a23a1171c3dd8b79cff048fac5b3c1dac538e6ec03658a72f5
- 6a1c3a7498b3af751455d2e6b7fc45f0304c6946d59b389ec068686985b3e3d8
- 74ae3c7bbc041639c52e298f1e0334c52ba8c1126eb0daf94fbb7bee40a831f9
- c543841ad16edfcf1098dffb9d4f656da5ac0f54857a2ffb79a799b305682053
- b7404bed5dbb05463e1cad915a31e2a59b5dc7fe36c5bb901196fdd072ee1591
- 204068d89b32659c9872bae0197e56acddca26e20523e337991df0f46d608469
- bbd7dcc8a064e73f1ef8f17feb7e7f8bc2f91bc90bbce03695e952c4c1acfa86
- a7c67bd2a6e4c7902f70a4f44242bdd073aea34f6e0b29491de4ddeed8a879f0
- 01002fef15f67941430c8a7e0c841583bf3eb67907e79310218e5ba3668e4997
- 59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef
- 177bb96ae04cac947092c28957121be9001d2a347141d22a14aa6474d099dd33
- bd12b97e2c0e80c899ac3fc595e46f4b5938e1e38c345195a535d25e0dd2d565
- 30587ec7becbff5e55f6effdd22075568d80eb4a06ce3104502d4d76004e16f3
- 36ded79221d444903554d693f5d93a5acada2454240da45b9a5257229eb21143
- fb607732ec2e3393634b2ccb8a028ad5b77ad0d01ef4a682bcc3c9e40e5bd186
- a62ebda2177dcaa163f49df590824213e1dca317f4c5d607d0edc806f0bc598c
- 210098efe6c332d372873e227f3d62a6f9630110746f775c4714a0d3805cfa09
- d3654c1683a7596d3248aa8014e089162dd3c5f9075ee4791faa740f92f3068d
- 1b6b9079a36d36d94e4da712e315ff8c29e12513b001c9ae2af23fdb6a0b30a5
- 0a809215d4845bdc11b87b07a6c2a6acfc6ad837f6ce56abbde4cf7e03efc684
- fc8e858023506da14dcdf7c581332bf961816cac3c342660f3a75949a366fa7b
- 5236d1e0f508409f8efe60cd4ccef67f4ce57fa40184849c16a1918f63d58573
- 09f3adee80045971982f1183607c4c8315c6e375a2e66b3ea8aa40d685d09cb6
- 214c0232e8543c80c7c6010319524231beab9d8689b8295f7e13296de886c15c
- e28753324b22939b239ca234cdc25daa16ed318d98b6430ea941d8bbbf418cad
- 3b2507071a8ba09e223ffbfa8315e6d3537be2042d54166f5a698049e7a6a2b1
- 7ce2f7f147b442079a978dca43de24105b2c3cde254dc76c7d6be165d8cf8d7e
- fc4d893ae0f496f13581abc708ef045d067fa7af5a06a9a1c3631f8c8b74d0df
- ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90
- b1465aa094decb4d5749bdf5ed5df8da98cecea900ec719c45c2e2d630062934
- 5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3
- a9bba5afdb85f0b65493356ddb0b3bb29a3a9b311fc4435f04610ff05eba508e
- c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5
- 240b43dfc2712d7d40312e760bcca5f9c7c259bbfa115c866127027346cb2fa3
- 3eb1e97e1bd96b919170c0439307a326aa28acc84b1f644e81e17d24794b9b57
- 7a0602fffb1565eabb6a34016dc8692a08209b152aa490935fdcb4ac18ecddb4
The post Locky Ransomware Arrives via Email Attachment appeared first on McAfee.