ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI)
FireEye analysts determined the increase was the result of a new Locky
ransomware spam campaign.
As shown in Figure 1, Locky spam activity was uninterrupted until
June 1, 2016, when it stopped for nearly three weeks. During this
period, Locky was the most dominant ransomware distributed in spam
email. Now, Locky distribution has returned to the level seen during
the first half of 2016.
Figure 1. Locky spam activity in 2016
Figure 2 shows that the majority of Locky spam email detections
between June 21 and June 23 of this year were recorded in Japan, the
United States and South Korea.
Figure 2. Locky spam by country from June 21 to
June 23 of this year
The spam email – a sample shown is shown in Figure 3 – purports to
contain an unpaid invoice in an attached ZIP archive. Instead of an
Figure 3. Locky spam email
downloader and the Locky payload.
- Iterates over an array of URLs hosting the Locky payload.
for 1,000 ms before continuing to iterate over the array of
- Uses a custom XOR-based decryption routine to decrypt
the Locky payload.
- Ensures the decrypted binary is of a
predefined size. In Figure 4 below, the size of the decrypted binary
had to be greater than 143,360 bytes and smaller than 153,660 bytes
to be executed.
5. Checks (Figure 5) that the first two bytes of the binary
contain the “MZ” header signature.
Figure 5: MZ header check
6. Executes the decrypted payload by passing it the command line
Locky Payload Updates
The Locky ransomware downloaded in this campaign requires a command
line argument to properly execute. This command line parameter, “123”
in the analyzed sample, is passed to the binary by the first stage
in the code unpacking stage of the ransomware. Legitimate binaries
typically verify the number of arguments passed or compare the command
line parameter with the expected value and gracefully exit if the
check fails. However in the case of this Locky ransomware, the program
does not exit (Figure 6) and the value received as a command line
parameter is added to a constant value defined in the binary. The sum
of the constant and the parameter value is used in the decryption
routine (Figure 7). If no command line parameter is passed, it adds
zero to the constant.
Figure 6. Command line parameter check
Figure 7. Decryption routine
If no command line parameter is passed, then the constant for the
decryption routine is incorrect. This results in program crash as the
decrypted code is invalid. In Figure 8 and Figure 9, we can see the
decrypted code sections with and without the command line parameter, respectively.
Figure 8. Correct decrypted code
Figure 9. Incorrect decrypted code
By using this technique, Locky authors have created a dependency on
the first stage downloader for the second stage to be executed
properly. If a second stage payload such as this is directly analyzed,
it will result in a crash.
As of today, the Locky spam campaign is still ongoing, with an added
anti-analysis / sandbox evasion technique. We expect to see additional
Locky spam campaigns and will remain vigilant in order to protect our customers.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.