Single JavaScript File Can Deliver Zepto Ransomware

A newly-discovered variants of the Locky ransomware, also known as Zepto ransomware, have now came back fully evolved and able to use JavaScript for their whole distribution.

Since its first appearance and the beginning of this year Locky has been non-stop improving its operation methods. Its way of spreading, though, didn`t change. It arrives at its destination via spam email which users receive using a JavaScript file secretly attached to a ZIP file. The file contains a vicious element, called by security experts a “downloader”, which downloads the Locky ransomware binary and executes it onto the infected machine.

Cyren researcher state that now, starting a weak ago, the entire Locky ransomware core could be distributed with a single Java Script file. What helped them realize that was the unusual change of the ZIP file`s size which suddenly grew from a few KBs to more than 250KB. Moreover, when the JS is opened a code editor detect a lot more code than before.

According to researchers, the actual Locky binary is already in this code and there is no need for it to be separately downloaded by the “downloader”. When the JS file is launched into execution the binary is saved on the victim`s computer and it automatically starts encrypting user`s files. Although, Locky`s Zepto ransomware is the only one to use this technique, this doesn`t come as a surprise to researchers.

Embedding malware binaries in scripts has been around for years, so it is not surprising to see Locky making use of this technique in delivering its ransomware component.” Cyren’s Maharlito Aquino says. “This doesn’t mean that Locky is coded in JavaScript, the binary still being compiled from another programming language, but that instead of using a two-step infection stage, Locky is now delivered directly via the JS file.

The Zepto ransomware, as security researcher have been calling these Locky versions, leaves a “.zepto” extension during the encryption process.

A huge number of spam emails (137,731 in only four days) distributing the Zepto ransomware have been detected by Cisco about a month ago. They noticed, however, that this particular spam inflow hasn`t evolved yet and was still using the old two-step infection technique.

Cyren has been constantly observing Locky`s behavior, its operation methods and any changes in general. They noticed that Locky has some alternatives when is come to distribution – using DOCM instead of DOC and DOCX files allowing it to target victims via Microsoft Word. The company has also come across to WSF files usage as alternative to JavaScript files.

These alternatives, however, don’t apply to Zepto versions.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.