After being silent for two weeks, Locky ransomware looks ready to attack unprotected computers again, with a new infection campaign. It was observed on Tuesday, which is the same day when Necurs botnet became active once again.
On June 1, Necurs suffered an outage, and the Anubis Networks security experts, who have been monitoring it for almost a year, reported that the botnet was comprised of approximately 1.1 million hosts a week later. The experts couldn’t estimate the botnet’s size until it went down, and it turns out that their final estimate might have been off as well. According to MalwareTech, Necurs operates around 1.7 million computers distributed in 7 different botnets.
Considering its size, it’s no wonder that the botnet was able to power Locky and Dridex campaigns, which were some of the largest ever, with hundreds of millions of messages sent to potential victims.
Security researchers knew about the connection between Necurs, Dridex and Locky, however, it wasn’t until the outage that they understood the critical role the botnet was playing in the distribution of the two pieces of malware.
The only thing that hasn’t been described yet is why Necurs, a peer-to-peer (P2P) hybrid botnet leveraging Domain Generation Algorithm (DGA) to enable bots find a new command and control (C&C) when one went offline, suffered a sudden outage, and why the downtime affected all seven botnets.
According to some experts, the recent 50 arrests in Russia connected to the Lurk banking Trojan might have impacted the Necurs operators too, though nothing is confirmed.
Nevertheless, the MalwareTech researchers find rather interesting the fact that while Lurk is a Trojan used in attacks against Russian banks, the Necurs Trojan avoids infecting computers with a Russian language pack present. According to the distribution map, all of the 1.7 million bots operated by Necurs are located outside Russia.
However, the only thing which is certain is the fact that Necurs is back and the first new Locky distribution campaign is already underway. A few days after the botnet went down, the operators of Locky and Dridex attempted to resume distribution via other channels, but at a much lower level. Besides, with both Necurs and Locky resuming activity at the same time, it’s much clearer that the two are tightly connected.
After Necurs C&Cs came back online, the botnet started to deliver an old Locky sample in the initial spam emails. The Malware Tech experts think that this happened because the C&Cs are proxy servers for a hidden backend server and that the botnet resumed a previous spam run that was unfinished when the outage occurred.
Since June 19, the C&C servers have been reliably online, suggesting that the Necurs operators are once again in full control of their botnet.
The Proofpoint researchers also observed the latest multi-million message Locky email campaign and according to them, it is connected to Necurs’ revival. Additionally, they explain that the Locky sample delivered as part of the new campaign packs a series of anti-sandboxing and evasion techniques which were initially introduced just before the outage.
Proofpoint also claims that Locky is now capable of detecting virtual environments by comparing the number of CPU cycles that it takes to execute certain Windows APIs. The experts observed that the ransomware is already executed from JavaScript with an argument that is used as part of its runtime obfuscation. The malware also makes the manual analysis of memory dumps more difficult by employing a method of cross-module execution.
Despite the fact that the new Locky distribution run involved millions of spam messages, the campaign was only 10% the size of campaigns observed before the Necurs outage. It was the largest campaign seen over the past three weeks, though security researchers expect even larger runs to pop up soon, and say that some of them will certainly involve Dridex. According to the experts, a second Locky distribution campaign is already ongoing for two days.
Other experts pointed out that a new Locky spam campaign was underway in the beginning of the week, and that the hackers were using JavaScript to deliver their malicious payload. According to the another security researcher, the new campaign stood in the crowd because attackers used several layers of obfuscation to ensure that the malicious payload can bypass detection systems.
The cyber criminals went to great lengths to make their code unreadable, and they even heavily obfuscated calls to various objects by making references to them appear as string values assigned to variables. The creators of Locky also used obfuscation layers such as a character substitution cipher, character removal, XORing, and reversing the file, features that have been recently observed in another piece of malware, Nemucod claims.
Similarly to the authors of Nemucod, the creators of Locky applied the same obfuscation techniques to keep the payload transfer over the network hidden and bypass security solutions capable of analyzing traffic to prevent infections.
