• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

  • Posted on:August 14, 2016 at 5:30 pm
  • Posted in:Malware, Ransomware, Spam
  • Author:
    Trend Micro
0

Like a game of cat and mouse, the perpetrators behind the Locky ransomware had updated their arsenal yet again with a new tactic—using Windows Scripting File (WSF) for the arrival method. WSF is a file that allows the combination of multiple scripting languages within a single file. Using WSF makes the detection and analysis of ransomware challenging since WSF files are not among the list of typical files that traditional endpoint solutions monitor for malicious activity.

However, the use of WSF files is no longer a novel idea since the same tactic was used in Cerber’s email campaign in May 2016. It would seem that the attackers behind Locky followed Cerber in using WSF files after seeing how such a tactic was successful in bypassing security measures like sandbox and blacklisting technologies.

Arrival method and social engineering lures

For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files.  With email subject lines such as, “bank account record”, “annual report” and “company database” we believe that attackers are possibly targeting companies. We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. (UTC), a time when employees in European countries are starting their day at work. In addition, our data showed that  there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.

Fig1_spamemail_locky

Figure 1. Sample of a spammed email message

fig2_spamvolume_WSF

Figure 2. Volume of spam emails with WSF attachments (July 13-Aug 3, 2016)

figure3_hourlyhitrate_WSF

Figure 3. Number of spam emails sent per hour from July 25-29, 2016

Interestingly, we found a spam sample with the subject, “Voicemail from Anonymous.” This could mean that cybercriminals are taking advantage of the popularity of Anonymous. On the other hand,“Anonymous” could also simply refer to an unknown person.

fig4_spamemail_locky

Figure 4. Spammed email with the subject, Voicemail from Anonymous

The first wave of this spam campaign was seen on July 15—with each email originating from different IP addresses. The countries that sent out the initial spam run were Serbia, Colombia, and Vietnam. Then another wave of spam runs were seen on July 18 and 19, with emails coming from countries such as Thailand and Brazil.

Why WSF?

The WSF files are employed as downloaders of the actual ransomware. Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze.

Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When  downloaded files have different hashes, detecting them via blacklisting becomes difficult.  The samples we analyzed have properties of a “Yahoo Widget” file to pass it off as legitimate.

fig5_posing-as-widget

Figure 5. This malware has properties posing as a Yahoo Widget.

fig6_differenthashes

Figure 6. The ransomware downloaded by WSF has different file names and hashes.

Probing deeper into the threat

Analysis of this ransomware shows how it uses a registry key to determine the system’s language before displaying the ransom notes. For example, if the default machine language is English, then it shows ransom notes in English. This particular behavior of primarily determining the system’s language was also seen in JIGSAW and CRYPTLOCK, as well as in Police ransomware or REVETON.

fig7_machinelanguage

Figure 7. This malware queries the machine language before displaying the ransom notes.

fig8_ransomnoteeng_updated

Figure 8.  Ransom notes in English

fig9_ransomnote_BR

Figure 9. Ransom notes in Brazilian Portuguese

For the command-and-control (C&C) communication, this threat used the SSH protocol or openVPN to encrypt the network traffic. One of the C&C servers is from the Deep Web via the Tor site, zjfq4lnfbs7pncr5[.]onion[.]to.

Like any Locky variants, the file extension is changed to .ZEPTO after all the files are encrypted. In addition, Locky also uses native APIs to change the file extension to .ZEPTO.

The developers of this new Locky variant seem to be coming from Brazil as we were able to spot this threat being sold in the Brazilian underground market. We also found someone (with the alias unknown_antisec) using Facebook to share this blog post (originally posted in Trend Micro blog in Brazil) that discussed our findings about the Brazilian underground. That particular user also included a caption in Brazilian Portuguese that can be translated to, “Sup dog, they’ve got you ransomware.” Brazilian cybercriminals typically use social media or the surface web to advertise their products and services.

A multilayered defense strategy

Locky ransomware continues to evolve—from using macros, JavaScript and VBScript to WSF. With this file type, it can, by default, combine any scripting language like JScript, which was previously used by RAA for obfuscation purposes.

Due to the possibility that WSF files can bypass traditional bypass and sandbox analysis, it is best to stop this new breed of Locky at the exposure layer. We are able to protect our customers at the gateway level by detecting Locky-related spam emails and stripping the emails with WSF attachments –thus preventing the malicious file from executing. Our sandbox is also capable of preventing the malware from running on the system since these new tactics associated with ransomware had already been detected.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.

PROTECTION FOR ENTERPRISES

  • Email and Gateway Protection

    Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.

    Spear phishing protection
    Malware Sandbox
    IP/Web Reputation
    Document exploit detection
  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Small-Medium Businesses

    Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

    Ransomware behavior monitoring
    IP/Web Reputation
  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

Related SHA1 hashes: 

JS_LOCKY.DLDVEF

  • 0A17D419461F2A7A722F4E15C2760D182626E698
  • 0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
  • 0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
  • 21DCA77E6EF9E89C788EE0B592C22F5448DE2762
  • 288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
  • 69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
  • 6A9B6AE21C5F5E560591B73D0049F6CA2D720122
  • 752AB2146016BCAFBFE17F710D61D3AD3822F849
  • 8BDC38B005E09B34C1BCE94529158DE75408E905
  • B8B79E8BAF39E0E7616170216B25C1505974F42C
  • 5994eb7696e11818d01bc7447adcf9ec5c1c5f13
  • 936ac2f42a1a641d52ba8078c42f5879e2dd41a0
  • 0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
  • 3bc8656186ee93d25173ba0f3c07a9cced23e7cd
  • 08f1565514122c578da05cbf8b50ee9dcfa41af6
  • 4641fb72aaf1461401490eaf1916de4103bbece5
  • 3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
  • 91762a5406e5291837ed259cd840cf4d22a2ddfa
  • 005cc479faa2324625365bde7771096683312737
  • eb01089b3625d56d50e8768e94cfef1c84c25601

JS_LOCKY.DLDVEJ

  • 812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
  • AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
  • 0e76d8fd54289043012a917148dacda0730e4d88
  • c76222e1206bad8e9a4a6f4867b2e235638a4c4c

JS_LOCKY.DLDVEL

  • A2420F7806B3E00DB9608ABF80EE91A2447F68AD
  • A94CE98BCC9A130AA88E9655672497C701BDA4A5
  • fc591d83cdebe57b60588f59466ec3b12283cc2c
  • 719f0d406038b932805d338f929d12c899ec97e1

JS_LOCKY.DLDVEP

  • DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
  • 56dd1d2b944dae25e87a2f9b7d6c653b2ece4486

RANSOM_LOCKY.DLDVEO

  • 180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
  • 2C62F7B01DD423CEF488100F7C0CA440194657D9
  • 6DECCBB36F4E83834985FE49FC235683CF90F054
  • E2D94F69134D97C71F2B70FC0A3558B30637E46D
  • E3E49BF06CD03FB0EA687507931927E32E0A5A1C

RANSOM_LOCKY.DLDVEF

  • 22DE960D38310643C3E68C2BA8EC68D855B43EBD

RANSOM_LOCKY.DLDVEL

  • 5A044104A6EED7E343814B3E0FC2DB535C515EA2
  • 9BA7499C98E2B52303912352E1ACA694552E0E86
  • 9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B

RANSOM_HPLOCKY.SM2

  • 3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
  • 5BE1DE4A018B746953381EA400278D25E7C3D024
  • B2D1E7860F617014E0546B9D48450F221FE118EC
  • BB8ABA09BC9B97C7358B62F2FF016D05955A5967

RANSOM_HPLOCKY.SM3

  • 1A46C45A443B1C10EAA9AA317CD343B83160828F
  • A2899353B237E08A7570C674D05D326D43173231
  • D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B

RANSOM_LOCKY.F116GT

  • 565951232E4A1D491D932C916BC534E8FB02B29B

RANSOM_LOCKY.F116GS

  • E362B04FE7F26663D7D43DD829D3C4310B2FC699

RANSOM_LOCKY.SMA6

  • 6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
  • DCDB228D515F08673542B89ABB86F36B3B134D72

Additional insights and data by Franklynn Uy and Jon Oliver

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Brazilian underground marketcrypto-ransomwareLocky Ransomware

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.