A new version of Locky ransomware has been spotted now sporting an improved delivery mechanism, better obfuscation which combined make it more difficult for anti-malware scanners to spot.
Maharlito Aquino, a researcher with Cyren, said these changes to Locky, first detected on August 23, are just the latest in a string discovered so far this summer indicating the cybergang developing Locky is not resting on its laurels. Like earlier version of Locky, this one uses emails socially engineered to attract those working in the financial sector that contain a zip attachment containing the attack.
However, now an additional layer of obfuscation has been added which decrypts and executives the real Locky downloader.
The additional layer of obfuscation which Cyren detects as JS/Locky.AT!Eldorado, was needed, Aguino told SCMagazine.com in an email Friday because “Earlier obfuscation methods were getting less efficient.”
A typical note accompanying a Locky phishing attempt.
The most significant aspect of the upgrade was replacing the EXE binary with a DLL bianary that Cyren detects as W32/Locky.AT_1.gen!Eldorado. The DLL uses a custom packer that also helps hide the malware from security software, Aquino said.
“The criminal syndicate behind Locky is evidently quite busy, and quite resourceful,” Aquino wrote.
In addition to the upgrades found by Cyren, Trend Micro reported a new Locky version hitting targets in Brazil using Windows Scripting Files as a downloader.
The earlier changes to Locky found by Cyren are; on June 27, new sandbox evasion techniques; July 4, new downloading technique, July 14 attachment format change; and July 21, embedded in JavaScript.
