At the beginning of 2016, the Proofpoint researchers found out a new malicious threat called Locky ransomeware. Considering all the facts, it seems that the same attackers behind many of the largest Dridex campaigns were involved in distributing Locky as well.
Recently, a significant increase in email campaigns attempting to install Locky has been noticed, culminating on April 7, with the largest single campaign (tens of millions of messages) so far. The particular campaign was primarily targeting UK and French organizations and used malicious document attachments and a new malware variant, named RockLoader, as an intermediary installing not only Locky but potentially two other pieces of malware as well.
Apart from the use of above-mentioned Rockloader, cyber criminals distributing Locky, have been using an array of obfuscation techniques and evolving their approaches to evade detection.
Most often, the ransomware in many of the email campaigns is being installed via JavaScript attachment files. Typically there are no legitimate uses for such attachments, thus blocking the delivery of JavaScript attachments at the email gateway is considered as the best practice.
While observing the hackers behind the email campaigns, security researchers have noticed:
- Increasingly convoluted JavaScript obfuscation
- Additional junk files to help evade detections
- Mangled “Content-Type” headers to help evade detection
- The use of RAR instead of Zip compression of JavaScript
The attacker is using RockLoader as an intermediate “downloader”. The downloader has been distributed both through JavaScript attachments and malicious documents and, in turn, downloads Locky. Currently, this downloader is under active development, and new features are being added regularly. Besides, on April 6 – 7, 2016 this downloader was used to load other malware including Dridex 220, Pony, and Kegotip.
On March 28 and on March 31, researchers noted some JavaScript attachments downloading a smaller program (36KB in size), which in turn downloaded Locky, instead of downloading the Locky executable directly from the JavaScript. Later on the same day, the intermediate downloader had been replaced by the actual Locky executable (200KB in size).
Interestingly, the loader first makes a request to bmg.de, but it doesn’t do anything with the response and overwrites the buffer in the subsequent POST. The malware is able to issue commands including “getjob” to which the server may respond with a list of URLs linking to files to download and execute or with a “task”. ”NOTASKS” indicates there are no more files to download. The network communication is encrypted.
Another interesting component is the way in which the Windows version is encoded into the ID4 parameter. The first character is 1 for XP, 2 for Vista, 3 for Windows 7, 4 for Windows 8, and 5 for Windows 10. The 4th character is 1 if the OS is 64-bit, 0 otherwise.
Each downloaded binary is given a certain amount of time to run before killing it. That time is determined by the time derived from the ping command (argument – 10 seconds) divided by the number of ‘add’ URLs specified. Until a response is received from the server, the loader will keep generating requests.
By default, the downloader will sleep two minutes between JSON request attempts, attempting to download the malware. The “ping” command in the downloader exists to kill off malware it downloaded that can’t manage to connect to its dead C2, so it can move on to the next URL and try again. The time in minutes specified by the “ping” command is divided by the number of URLs present in the “add” field to flexibly handle larger numbers of malware URLs while keeping a constraint on the total amount of time required to process the downloads and infections.
RockLoader detects if it is being run as an administrator, and if not, is capable of bypassing UAC on both 32-bit and 64-bit versions of Windows via the well-known cliconfg.exe / ntwdblib.dll technique. On 64-bit systems an executable is extracted and run which performs SetWindowsHookEx-based DLL injection into explorer using a DLL contained in the binary’s resources, which then triggers the UAC bypass from within the injected DLL. On 32-bit operating systems, the DLL injection is performed via the same method from the original RockLoader binary itself, with the DLL also being embedded directly in the main RockLoader binary.
By this time, the developers of the downloader have already made a number of changes. The downloader’s runtime API resolution code has been modified to obfuscate the names of APIs being resolved using a simple 8-byte XOR algorithm. That same algorithm is also being used to obfuscate an embedded 64-bit UAC bypass executable and a 32-bit UAC bypass DLL which previously appeared in plain text. Some APIs that were static imports before, such as ShellExecuteA, are now resolved dynamically. There is also now a new JSON field, “key”. It is used in a simple XOR routine to decrypt the downloaded files.
Considering all the above-mentioned, there is one thing that is certain – cyber criminals are constantly exploring new techniques to make their campaigns much more effective in future.
