A new Locky iteration is borrowing techniques observed in a recent Dridex campaign and is flooding inboxes in high volumes.
A new Locky iteration is borrowing techniques observed in a recent Dridex campaign and is flooding inboxes in high volumes.

After fading from the spotlight, the notorious Locky ransomware is again flooding into email inboxes owing to new campaigns spread via the Necurs botnet.

Locky was a dominant malware player in 2016, but lost its mojo along with a slowdown in the Necurs botnet.

However, on April 21, researchers at Talos observed a new, large-scale Locky campaign again emanating from the Necurs botnet, according to a post on a Cisco blog.

The malware formerly was embedded in email with attachments using script formats recognized by Windows hosts, such as .js, .wsf, and .hta.

The new iteration is borrowing techniques observed in a recent Dridex campaign, the Talos researchers wrote, and is currently flooding inboxes in high volumes. The Necurs botnet is the source of the attack, they said, pointing out that the botnet had previously been used to send out more traditional spam – such as pump-and-dump spam, Russian dating spam and work-from-home spam.

The campaign was also observed by researchers at Malwarebytes Labs. According to a post on a Malwarebytes Labs blog, the technique borrowed from Dridex embeds a Word doc inside a PDF file, a strategy that enables the malware to avoid detection from sandboxes.

Once a recipient clicks on the OK button, the polluted Word doc is displayed. At that point, said the Malwarebytes researchers, a bit of social engineering dupes targets to click on the macro which launches the Locky ransomware.

The user's computer files are then encrypted with the .osiris extension and the miscreants behind the cybercrime demand 0.5 Bitcoin (around $623) to recover them.

Attackers are constantly evaluating not only how users can get infected, but also how security solutions can be evaded, Jerome Segura, lead malware intelligence analyst at Malwarebytes Labs, told SC Media on Monday. "Just like any other business, innovation is crucial in order to survive," he said.

What is different about this iteration of Locky is that the delivery mechanism leverages Adobe Reader to open up an embedded Word document containing a malicious macro, Segura told SC. "This is one extra step that is not required to social engineer users, but that makes it more difficult for the defense side to handle, at least for a little while."

As far as what particular social engineering ploy is being used, Segura said that the spam emails come as invoices or scans from a printer. "Users are tricked into opening them and following instructions to display the content. This is clever because it allows the attackers to bypass various security measures as the victim overrides them. It's also powerful in performing certain actions that automated sandboxes couldn't do on their own."

Threat actors continue to abuse various applications that are legitimate and used on a daily basis while getting assistance from social engineered users, Segura dded. "This is a nightmare for IT admins that try to contain threats and have to deal with users making the worst possible choices."

We are likely to see more of those 'chained attacks' that hop from one application to the next, Segura told SC. "This is another aspect that makes tracing the original entry point much more difficult."