Locky Gets Trickier, Uses JavaScript XOR Obfuscation

RockLoader and obfuscation help Locky stay at the top of the charts

Proofpoint security say that Locky has moved into one of the top positions for ransomware distributed via e-mail by using JavaScript obfuscation and the reversal of the bytes of its malicious payloads. It is aided in this delivery by malware loaders such as the RockLoader malware. The firm observe Locky being delivered with increasing efficiency as far as stealth is concerned:

These campaigns continue to demonstrate the trend of threat actors shifting delivery mechanisms and adding new layers of obfuscation and evasion to bypass security defences. In the example above, the initial payload was actually the RockLoader malware loader which then attempted to install Locky from a sophisticated command and control (C&C) architecture“, researchers blogged.

The XOR disguises the malware code to look like harmless binary and so it’s not easily detected by scanning. The technique is becoming more popular with the criminals. The security researchers last week noted Locky being delivered by this method and commented that while it can be used to evade security products that are designed to detect executables threatening a network, it can also be used to avoid sandbox detection.

Proofpoint recommended that a combination of security layers using different detection techniques is required to stop Locky, and other malware that is beginning to use this infiltration method. XOR is used because it is convenient; there are many other more complicated binary obfuscations that will be even more of a problem.

Now good awareness and working practice is even more important, especially in business network environments.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.