• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Locky Ransomware Now Downloaded as Encrypted DLLs

Locky Ransomware Now Downloaded as Encrypted DLLs

  • Posted on:August 29, 2016 at 4:56 am
  • Posted in:Malware, Ransomware
  • Author:
    Brooks Li (Threats Analyst)
0

Additional analysis and information by Jaaziel Carlos.

The Locky ransomware family has emerged as one of the most prominent ransomware families to date, being sold in the Brazilian underground and spreading via various exploits. Locky has, over time, become known for using a wide variety of tactics to spread–including macros, VBScript, WSF files, and now, DLLs.

Recently we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign.

Figure 1. Locky ransomware spam

The .js files contained inside the .ZIP attachments are heavily obfuscated–again, as is the norm:

Figure 2. Locky JavaScript code

After de-obfuscation, we can see that the code does several things:

  1. There is a hardcoded list of malicious URLs which all host the encrypted Locky ransomware. The JavaScript will randomly select one URL to download from, if this fails it will try another one.
  2. Save the downloaded file content to %temp%
  3. Using XOR with a pseudo-random number generator (PRNG) to decrypt the downloaded file and save the decrypted results as xxxx.dll
  4. Using rundll32.exe to run the malicious DLL, which will result in the ransom note being displayed and the user’s files being encrypted.

In effect, the attacker created his own stream cipher as his source of a pseudorandom key stream. All PRNGs rely on an initial value (known as the seed) to set the generator’s initial state. In a normal cryptographic implementation, so long as this value is non-constant and the PRNG is well designed, the stream cipher will be sufficiently “random”.

However, if the same seed is used, the same key stream will be generated. The seed serves as a form of encryption key, the values of which are hardcoded in the JavaScript code in this implementation.

Figure 3. XOR and PRNG decryption code

Creating a PRNG is a sufficiently difficult task, which is why the attacker chose to “borrow” one instead. He took the reference implementation of the Ultra-High Entropy PRNG (UHE PRNG), made some small modifications to the code, and used it in his .js file. The code used appears to be an almost direct copy of parts of the Windows scripting implementation of the UHE PRNG code.

Figure 4. UHE PRNG function

Figure 5. Rundll32.exe running the Locky DLL, with parameters

The behavior of the actual ransomware is essentially unchanged from previous Locky variants.

locky-dll-revised

Figure 6. Locky ransom note

Using a DLL file in this way represents an attempt to try and evade behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new.

The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected).

Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery™ Email Inspector, can be used to detect this threat by its behavior without any engine or pattern updates.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.


PROTECTION FOR ENTERPRISES

  • Email and Gateway Protection

    Trend Micro Cloud App Security, Trend MicroTM Deep DiscoveryTM Email Inspector and InterScanTM Web Security addresses ransomware in common delivery methods such as email and web.

    Spear phishing protection
    Malware Sandbox
    IP/Web Reputation
    Document exploit detection
  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Small-Medium Businesses

    Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

    Ransomware behavior monitoring
    IP/Web Reputation
  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

The SHA256 hashes of files related to this threat are:

  • ff3e29a31f05016dedcd61a7aac588757c8364f04fa85b7a86196c9805cd811c
  • f7d0ccb86876cd4852fa376d69e6a0073a2c5cefaa3bfc012a9b8fe371d8cdb6

The malicious URLs related to this attack are:

  • hxxp://bck.srtec.net/73bh7
  • hxxp://clickme22.wang/25r15h6p
  • hxxp://delaemvkusnoe.ru/bhszq
  • hxxp://direttaauto.com/tyknnq
  • hxxp://escapegasmech.com/2zpr9p
  • hxxp://harrypotternotawizard.ws/3jjhbrba
  • hxxp://hdjung.homepage.t-online.de/tzpwhw9s
  • hxxp://it4cio.servicos.ws/pvgbi
  • hxxp://lkfashions.com/aeeyqj8
  • hxxp://muscleinjuries.com/ehqo79
  • hxxp://policyforlife.com/efb45
  • hxxp://popcom.be/~mbs/o95r3
  • hxxp://vittuperkele.com/a1wi4m3
  • hxxp://vittuperkele.top/a6dg9qy
  • hxxp://www.compland.ee/x5ewa6u
  • hxxp://www.fulvio77.it/sx6wn
  • hxxp://www.sjones.talktalk.net/zz5sjc3
  • hxxp://www.stucchifedele.com/o0eswfu
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: LockyPRNGransomwareUHE PRNG

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.