Threat actors are sending the malicious downloaders using malicious .zip and .rar files disguised as invoices, corporate documents, tax information, and other seemingly benign files in order to spread the new downloader.
The new downloader is written in "more compact" script coding that allows attackers to encrypt the malicious code into .zip or .rar files multiple times, InfoArmor's chief intelligence officer, Andrew Komarov, told SCMagazine.com
The malicious code bypasses anti-spam filters and anti-virus software through obfuscation, Komarov said.
Those behind the Locky malware didn't design the malicious downloaders but obtained them from a third party, he said, noting that 50 unique malicious downloaders can be purchased for between $1 to $25, making them an inexpensive way to spread the ransomware.
FireEye researchers observed the new downloader using a custom network communication protocol which in their, in their tests, only downloaded the Locky ransomware as its payload, according to an April 22 blog post.
The researchers went on to say that the downloader could be a new platform for installing other malware or for “pay-per-install” malware distribution.