Locky ransomware back in huge spam campaign; new variant escapes sandbox
Locky ransomware back in huge spam campaign; new variant escapes sandbox

Locky ransomware is back, being pushed out to victims in a concerted spam campaign. Security researchers have also discovered a variant of the ransomware that attempts to evade analysis by security firms using new approach.

Several security researchers have signalled the new campaign. Researchers at Comodo Threat Intelligence Lab, said that a second wave of new but related IKARUSdilapidated Locky ransomware attacks has occurred, building on the attacks discovered by the Comodo Threat Intelligence lab earlier in the month of August 2017. 

It said that this campaign also uses a botnet of zombie computers to coordinate a phishing attack which sends emails to victims appearing to be from their organisation's scanner/printer, or other legitimate source and ultimately encrypts the victims' computers and demands a bitcoin ransom.

According to Comodo, this second wave of phishing carrying IKARUSdilapidated is actually two different campaigns launched three days apart. The first (featuring the subject “Scanned image from MX-2600N”) was discovered by the Lab to have commenced over 17 hours on 18 August. The second (a French language email purportedly from the French post office featuring a subject including “FACTURE”) was executed over a 15-hour period on 21 August.

Researchers said that in contrast to the initial 2017 IKARUSdilapidated Locky campaign, which distributed malware with the ".diablo" extension and a Visual Basic Script (with a ".vbs" extension), both new attacks have interesting variations to fool users with social engineering and to fool security administrators and their machine- learning algorithms and signature-based tools.

"This first follow-up ransomware phishing attack so soon after the sophisticated 9-11 August attack, showed us how dedicated they are at getting better at these types of attacks.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL).  

“Another more targeted variant coming just three days later confirms their capability to scale up and to plan and execute multiple targeted campaigns and as with 9 August, when machine learning algorithms and artificial intelligence couldn't identify these new unknown malware files, the default deny posture with containerisation of unknown files was critical to protect customers.”

While the Locky campaign gathers speed, a new variant has been spotted that attempts to evade efforts by security researchers to analyse it.

According to security researches at Malwarebytes, this variant attempts to evade detection by relying once more on simple, yet effective user interaction.

In a blog post by researchers Marcelo Rivero and Jérôme Segura, they said that they found that a malicious Word document that carries instructions to download and run Locky is set to only trigger when the user closes it (not only by enabling macros). 

This change means that sandboxes that auto-analyse malicious samples are likely to miss it completely because they would not "think" of closing the document. In fact, they would do the opposite, since closing the file may mean the code would not have a chance to run. Striking its targets when they least expect it.

“While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behaviour in many sandboxes while still infecting end users that would logically close the file when they realise there is nothing to be seen,” said the researchers.

Chris Doman, security researcher at AlienVault, told SC Media UK that these sandbox tricks will make automated analysis by sandboxes more difficult. “However this doesn't prevent heuristic detections by antivirus software of suspicious looking Macros - this should still stand out as possibly malicious code within an Office document,” he said.

“Network administrators can prevent untrusted Macro's from executing in their environment. This prevents lots of malware including this Locky campaign. However it comes at the cost of making writing Macros more difficult for legitimate users.”

Tony Rowan, chief security consultant at SentinelOne, told SC Media UK that this variant is attempting to take advantage of the temporal impact of the decision made within the sandbox test environment.

“By triggering the payload download and execution as the document is closed, the attacker attempts to wait until after the malware verdict has been made. This is yet another sandbox bypass method and it highlights a fundamental limitation of sandbox testing,” he said.

“Sandboxes aim to detect the behaviours of the malware in a controlled environment and this seems a sensible approach. Unfortunately, as we routinely see, that attackers are aware of the limitations of sandbox detection. Detecting behaviours on the real system that is executing the code is surely going to be more effective as it is not vulnerable to the avoidance mechanisms inherent in sandboxes.”

Earlier this week Symantec issued a paper suggesting that a reason for the revival of Locky is the revival of Necurs botnet (associated with distributing Locky in the past) which became active once again in March. It notes that malicious email distributors have experienced some disruption in the first half of the year, meaning activity is behind 2016 levels. It says, "One of the main disruptions seen was to the Necurs botnet (Backdoor.Necurs), which was one of the biggest distributors of malware during 2016, running massive spam campaigns spreading the Locky ransomware (Ransom.Locky), among other threats. Necurs ceased operating on 24 December 2016 and, initially it appeared that its controllers were taking a break for the holiday period (not uncommon among cyber-criminals). However, Necurs remained silent for almost three months, leading to some speculation that it had disappeared entirely. The botnet resumed operations in late March 2017. When it returned, it was involved in pump-and-dump stock scams, although by April, the botnet was once again distributing ransomware. The reason for its long absence remains unknown."