Locky Adds New File Format and Attacks UK

Cyren caught a new Locky email spam campaign today which uses a new tactic, delivering the Locky downloader script component as an HTML application, specifically HTA files. The emails are disguised as voice message notifications sent by Peach Telecom, which suggests that the campaign is targeting users in the UK. 

HTA files are loaded by the system using the program MSHTA.exe, and are executed by instantiating the Internet Explorer rendering engine (MSHTML) along with the required script engines such as jscript.dll and vbscript.dll.

Opening the HTA file in a text editor shows use of the JScript language, which is used in most of the Locky campaigns. Cyren detects this downloader script variant as JS/Locky.AY.

Deobfuscating part of the code shows a decryption code structure similar to what we saw in the previous Locky samples we have analyzed.

Each sample has at least four URLs from which it tries to download, and as usual the downloader script decrypts before executing.

Similar to the variant we reported last week, the decrypted ransomware component is a DLL file and is loaded using rundll32.exe. We also observed that it no longer uses a code parameter along with the called export function.

CYREN detects the decrypted DLL as W32/Locky.IA.

And just like the previously reported variant, this ransomware component finds and encrypts files in the affected system, renaming the files and appending the string “.zepto” as the file extension.

Listed below are the files which are searched for and encrypted by this variant.

.n64 .ltx .gif .c .lay .xltx .pdf
.m4a .litesql .raw .php .ms11 (Security copy) .xltm .XLS
.m4u .litemod .cgm .ldf .ms11 .xlsx .PPT
.m3u .lbf .jpeg .mdf .sldm .xlsm .stw
.mid .iwi .jpg .ibd .sldx .xlsb .sxw
.wma .forge .tif .MYI .ppsm .slk .ott
.flv .das .tiff .MYD .ppsx .xlw .odt
.3g2 .d3dbsp .NEF .frm .ppam .xlt .DOC
.mkv .bsa .psd .odb .docb .xlm .pem
.3gp .bik .cmd .dbf .mml .xlc .p12
.mp4 .asset .bat .db .sxm .dif .csr
.mov .apk .sh .mdb .otg .stc .crt
.avi .gpg .class .sql .odg .sxc .key
.asf .aes .jar .SQLITEDB .uop .ots wallet.dat
.mpeg .ARC .java .SQLITE3 .potx .ods
.vob .PAQ .rb .011 .potm .hwp
.mpg .tar.bz2 .asp .010 .pptx .602
.wmv .tbk .cs .009 .pptm .dotm
.fla .bak .brd .008 .std .dotx
.swf .tar .sch .007 .sxd .docm
.wav .tgz .dch .006 .pot .docx
.mp3 .gz .dip .005 .pps .DOT
.qcow2 .7z .pl .004 .sti .3dm
.vdi .rar .vbs .003 .sxi .max
.vmdk .zip .vb .002 .otp .3ds
.vmx .djv .js .001 .odp .xml
.wallet .djvu .h .pst .wb2 .txt
.upk .svg .asm .onetoc2 .123 .CSV
.sav .bmp .pas .asc .wks .uot
.re4 .png .cpp .lay6 .wk1 .RTF

After encrypting the files, the desktop wallpaper is replaced with the ransom instructions and the ransom instructions page is loaded.

Clicking on the tor links redirects the users to the Locky decryptor page.

While reviewing the domains of the download URL’s, we found one particular domain, which was recently created and was registered using the email galicole@mail.com.

WhoIs Info

Domain Name: HOTCARSHHHS6632.COM 
Registry Domain ID: 2056315296_DOMAIN_COM-VRSN 
Registrar WHOIS Server: whois.publicdomainregistry.com 
Registrar URL: www.publicdomainregistry.com 
Updated Date: 2016-08-31T09:34:43Z 
Creation Date: 2016-08-31T09:34:42Z 
Registrar Registration Expiration Date: 2017-08-31T09:34:42Z 
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com 
Registrar IANA ID: 303 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited 
: 
: 
: 
Registrant Email: galicole@mail.com

This registrant email has a history of registering domains for the binary payload of Locky Ransomware in August:

rejoincomp2.in tryfriedpot.co.in

File Hashes

EML    1df85dba3870318dbecc9dc6cb7a3d49e61bf2a89eeb28b2e4c5dce824bd55e7 HTA    36a2055152cb61411d1275fc53cd659a72e66399f59a312013edcfa4cecd9bfd DLL    ed8965e9834248a177fd0062149410c63c612d68518aff31b35eb58a33b6ce59

URLs being used

hxxp://portadeenrolar.ind.br/jtfinwo?OIxbvVT=NWocFL hxxp://hotcarshhhs6632.com/js/76g78uf4sw?rQrPsyExOz=ethvMq hxxp://fingermousedesign.co.uk/ctkvyio?rQrPsyExOz=ethvMq hxxp://www.primaria-adamclisi.go.ro/ueeldwe?nPPrVCPinPp=zrdPHU hxxp://www.trade-centrum.eu/ibghgdp?scYkAI=uRPKpwONAus hxxp://209.41.183.242/adjxlax?scYkAI=uRPKpwONAus hxxp://wapnn.vov.ru/ummvyia?XCmHOiPueIj=TEqUHJAH hxxp://albertowe.cba.pl/rejsill?xDVbhWSzARn=QFdSrnvoQsS hxxp://hotcarshhhs6632.com/js/76g78uf4sw?XCmHOiPueIj=TEqUHJAH hxxp://www.association-julescatoire.fr/yjqhgff?XCmHOiPueIj=TEqUHJAH hxxp://www.alpstaxi.co.jp/therodk?IKmacGFG=ddrSDzk hxxp://yggithuq.utawebhost.at/opdcrhh?OIxbvVT=NWocFL hxxp://www.trauchgauer-weihnachtsmarkt.de/frcmmhv?IKmacGFG=ddrSDzk hxxp://www.dietmar-bernhard.de/rthvkws?nPPrVCPinPp=zrdPHU hxxp://www.ediazahar.com/mllpeqd?xDVbhWSzARn=QFdSrnvoQsS hxxp://pennylanecupcakes.com.au/lfigasv?UlXIkkwe=kIkGHdxeh hxxp://www.btb-bike.de/psoexes?UlXIkkwe=kIkGHdxeh hxxp://hotcarshhhs6632.com/js/76g78uf4sw?OIxbvVT=NWocFL hxxp://pennylanecupcakes.com.au/lfigasv?OIxbvVT=NWocFL hxxp://www.rioual.com/bddoxvg?UlXIkkwe=kIkGHdxeh hxxp://hotcarshhhs6632.com/js/76g78uf4sw?nPPrVCPinPp=zrdPHU hxxp://www.trauchgauer-weihnachtsmarkt.de/frcmmhv?XCmHOiPueIj=TEqUHJAH hxxp://hotcarshhhs6632.com/js/76g78uf4sw?xDVbhWSzARn=QFdSrnvoQsS hxxp://wapnn.vov.ru/ummvyia?IKmacGFG=ddrSDzk hxxp://www.trade-centrum.eu/ibghgdp?rQrPsyExOz=ethvMq hxxp://www.btb-bike.de/psoexes?xDVbhWSzARn=QFdSrnvoQsS hxxp://ajedrezimprov.50webs.com/yfotxbo?nPPrVCPinPp=zrdPHU hxxp://hotcarshhhs6632.com/js/76g78uf4sw?UlXIkkwe=kIkGHdxeh hxxp://www.primaria-adamclisi.go.ro/ueeldwe?scYkAI=uRPKpwONAus hxxp://portadeenrolar.ind.br/jtfinwo?rQrPsyExOz=ethvMq hxxp://hotcarshhhs6632.com/js/76g78uf4sw?scYkAI=uRPKpwONAus hxxp://hotcarshhhs6632.com/js/76g78uf4sw?IKmacGFG=ddrSDzk

To get further up to speed on Locky, download Cyren’s special threat report:

We also previously reported our detection of key changes in Locky’s methods on: