Cybercriminals behind the Locky ransomware and Necurs botnet are back in business. Last Friday researchers spotted both delivering nearly 35,000 emails in just a few hours, the first major Locky campaign researchers have seen in months, according to Cisco Talos.
Researchers warn the latest Locky campaign is borrowing effective techniques from the credential-stealing malware Dridex, which has become adroit at outsmarting sandbox mitigation efforts.
“The payload hasn’t changed but the methodology has,” wrote Cisco Talos researcher Nick Biasini in a research blog published Friday. “The use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky,” he said.
Last year, Locky behind a series of massive spam campaigns that targeted hospitals with either malicious Word or JavaScript attachments. By December, Cisco reported, Necurs and Locky activity had gone silent.
“This could be the first significant wave of Locky distribution in 2017,” according to Biasini.
The specifics of the campaign include two variants of emails sent to recipients. One email has no text in the body of the email. In another variant, emails include text consistent with what you might expect from an email that contains payment invoices, receipts or scanned images, according to Baisini. In both cases, subject lines include either the word “Payment” and “Receipt” proceeded by “#” and numbers – for example “Receipt#272”. Filenames of the malicious attachments are customized based on recipient’s email address.
Emails include a malicious PDF document with an embedded Word document inside, researchers say. Once opened, the PDF asks the victim for permission to open a Word document. That Word document then asks victims for permission to run an XOR’d Macro that pulls down a malware dropper file. Once Locky is downloaded it encrypts files on the host computer.
“The technique used by the adversaries to deliver Locky was just recently used to deliver Dridex and made use of PDF document with embedded Word documents. These Word documents then use macros to pull down the Locky sample and encrypt files. There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies,” Biasini wrote.
For a time PDF based compromises were down and Word macro-based compromises were up, Biasini said. “In this campaign they figured out how to disguise a macro-laden Word doc in a PDF, compromising victims around the globe,” he wrote.
The latest wave of Necurs activity represents a departure for the botnet which has traditionally been focused on pump-and-dump stock ploys, Russian dating spam, and work-from-home scams, according to the report.
Once systems are infected, there is nothing remarkable about how attackers extort money from victims, Biasini wrote. Post infection, the Locky sample used the “/checkupdate C2” structure, previously used by Locky. Attackers demand 1 bitcoin to decrypt files (currently $1,200) which is payable via a TOR Browser-accessible website.
“This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user’s mailbox,” Biasini wrote.