Locky ransomware spreading via Bizarro Sundown EK
Locky ransomware spreading via Bizarro Sundown EK
A team of researchers has detected two new iterations of Locky ransomware being spread via an exploit kit (EK) that is based on the previous Sundown EK.

The new EK, dubbed Bizarro Sundown, was seen spreading a first version of the malware on Oct. 5 and a second on Oct. 19, according to a post from Trend Micro threat analysts Brooks Li and Joseph C. Chen.

Bizarro Sundown clones a number of attributes from its Sundown predecessor, but adds in anti-analysis features, the researchers found. Further, the second attack altered its URL format to dupe recipients into believing they were landing on legitimate web ads. Both versions, the researchers claim, were used exclusively by the ShadowGate/WordsJS campaign.

The industries and locations of legitimate websites that were compromised by this attack. There are 13 countries represented and about 27 different overall industries.

Category                              Country 

finance/financial-management BG
news-and-media BG 
news-and-media/magazines-and-e-zines BG 
news-and-media/newspapers BG
news-and-media/newspapers 
BG 
science/social-sciences BG
shopping 
CL
finance/financial-management 
CN
news-and-media/technology-news CN
travel/tourism CN
adult DE
agriculture-and-forestry DE
arts-and-entertainment DE
business-and-industry DE
career-and-education/jobs-and-employment DE
computer-and-electronics/software DE
finance/investing DE
food-and-drink DE
internet-and-telecom/chats-and-forums DE
marketing-and-advertising DE
news-and-media DE
news-and-media DE
sports/football DE
arts-and-entertainment ES
arts-and-entertainment/music-and-audio ES
business-and-industry ES
computer-and-electronics/software ES
internet-and-telecom ES
news-and-media ES
reference/maps ES
science/agriculture ES
arts-and-entertainment HK
arts-and-entertainment/tv-and-video HK
business-and-industry/real-estate HK
career-and-education/jobs-and-employment HK
games HK
health HK
business-and-industry IL
business-services IL
career-and-education/education IL
finance/financial-management IL
news-and-media IL news-and-media IL
news-and-media/newspapers IL
shopping IL
sports IL
arts-and-entertainment/music-and-audio IT business-and-industry IT
business-and-industry/real-estate IT
career-and-education IT
career-and-education/education IT
health IT health IT
news-and-media IT
news-and-media IT
news-and-media/magazines-and-e-zines IT
sports/cycling-and-biking IT
sports/soccer IT
sports/soccer IT
sports/soccer IT travel/airlines-and-airports IT  
news-and-media KR
news-and-media/newspapers KR
business-and-industry SI
health/medicine SI
law-and-government/government SI
news-and-media SI
shopping SI
sports SI
adult TW
business-and-industry TW
business-and-industry TW
finance/investing TW
internet-and-telecom/chats-and-forums TW
news-and-media UK
business-and-industry/energy US
computer-and-electronics/programming US
shopping US
unknown US 

One interesting aspect of ShadowGate's campaign the researchers noted was an absence of attacks on weekends, with most victims in Taiwan and Korea.

According to Trend Micro, the first iteration of Bizarro Sundown went after a memory corruption vulnerability in Internet Explorer (CVE-2016-0189) and two security vulnerabilities in Flash: a use-after-free vulnerability (CVE-2015-5119) and an out-of-bound read bug (CVE-2016-4117), both since patched.

The change detected was Bizarro Sundown's obfuscation of its landing pages and the addition of anti-crawling functionality, intended to thwart automated crawlers used by researchers and analysts.

For the version noted Oct. 19, the researchers observed a change to its redirection chain that rendered URLs closer to normal advertising traffic. "It can now be integrated more directly into ShadowGate's new redirection method, which used to rely on scripts to route potential victims to malicious servers." The malware uses a malicious Flash (.SWF) file to achieve this, the report found.

As is typical to mitigate such attacks, the researchers stress a solid backup strategy as a good defense against ransomware, while the addition of patch management bolsters security at the device's perimeter. Further, maintaing updates on the operating system and software helps fend off exploits targeting flaws already patched by vendors.

Photo courtesy of Trend Micro