At the beginning of 2016, the Proofpoint researchers found out a new malicious threat called Locky ransomeware. Considering all the facts, it seems that the same attackers behind many of the largest Dridex campaigns were involved in distributing Locky as well.
Recently, a significant increase in email campaigns attempting to install Locky has been noticed, culminating on April 7, with the largest single campaign (tens of millions of messages) so far. The particular campaign was primarily targeting UK and French organizations and used malicious document attachments and a new malware variant, named RockLoader, as an intermediary installing not only Locky but potentially two other pieces of malware as well.
Apart from the use of above-mentioned Rockloader, cyber criminals distributing Locky, have been using an array of obfuscation techniques and evolving their approaches to evade detection.
While observing the hackers behind the email campaigns, security researchers have noticed:
- Additional junk files to help evade detections
- Mangled “Content-Type” headers to help evade detection
Interestingly, the loader first makes a request to bmg.de, but it doesn’t do anything with the response and overwrites the buffer in the subsequent POST. The malware is able to issue commands including “getjob” to which the server may respond with a list of URLs linking to files to download and execute or with a “task”. ”NOTASKS” indicates there are no more files to download. The network communication is encrypted.
Another interesting component is the way in which the Windows version is encoded into the ID4 parameter. The first character is 1 for XP, 2 for Vista, 3 for Windows 7, 4 for Windows 8, and 5 for Windows 10. The 4th character is 1 if the OS is 64-bit, 0 otherwise.
Each downloaded binary is given a certain amount of time to run before killing it. That time is determined by the time derived from the ping command (argument – 10 seconds) divided by the number of ‘add’ URLs specified. Until a response is received from the server, the loader will keep generating requests.
By default, the downloader will sleep two minutes between JSON request attempts, attempting to download the malware. The “ping” command in the downloader exists to kill off malware it downloaded that can’t manage to connect to its dead C2, so it can move on to the next URL and try again. The time in minutes specified by the “ping” command is divided by the number of URLs present in the “add” field to flexibly handle larger numbers of malware URLs while keeping a constraint on the total amount of time required to process the downloads and infections.
RockLoader detects if it is being run as an administrator, and if not, is capable of bypassing UAC on both 32-bit and 64-bit versions of Windows via the well-known cliconfg.exe / ntwdblib.dll technique. On 64-bit systems an executable is extracted and run which performs SetWindowsHookEx-based DLL injection into explorer using a DLL contained in the binary’s resources, which then triggers the UAC bypass from within the injected DLL. On 32-bit operating systems, the DLL injection is performed via the same method from the original RockLoader binary itself, with the DLL also being embedded directly in the main RockLoader binary.
By this time, the developers of the downloader have already made a number of changes. The downloader’s runtime API resolution code has been modified to obfuscate the names of APIs being resolved using a simple 8-byte XOR algorithm. That same algorithm is also being used to obfuscate an embedded 64-bit UAC bypass executable and a 32-bit UAC bypass DLL which previously appeared in plain text. Some APIs that were static imports before, such as ShellExecuteA, are now resolved dynamically. There is also now a new JSON field, “key”. It is used in a simple XOR routine to decrypt the downloaded files.
Considering all the above-mentioned, there is one thing that is certain – cyber criminals are constantly exploring new techniques to make their campaigns much more effective in future.