Locky Limps Back into Action After Lull

Researchers say the Necurs spam botnet is limping back into action with two new campaigns that could be the telltale signs of a future full-scale attack.

Researchers say Locky spam volumes are limping back into action with two new and tiny campaigns that could reveal telltale signs of a future full-scale attack.

Cisco Talos said since late December, Necurs botnet activity has been silent. So too have campaigns tied to Locky ransomware; chiefly distributed by the Necurs botnet.

But earlier this week, researchers say they spotted two new low-volume Locky spam campaigns with fewer than a thousand messages associated with it. “When Necurs is active we typically see approximately 350-400K IPs in our blacklists related to spamming. Those numbers have been closer to 50K,” wrote Nick Biasini and Jaeson Schultz, researchers with the Cisco Talos, in a blog post.

Biasini and Schultz said these campaigns are mostly typical and are delivering Locky via scripts used to obtain malware hosted on compromised websites. But they say, they are observing a couple of new Locky twists.

“These are some of the first spam campaigns we have seen delivering Locky since before the Christmas break and could be indicators of things to come,” Biasini and Schultz said.

Researchers have identified two distinct Locky campaigns. One is a “double zipped” Locky variant that utilizes a one .zip file extracted from another .zip file. The second “.rar based” Locky variant, as the name suggests, uses the .rar archive compression standard versus .zip.

As for the .zip variant researchers said email messages contain no subject or body, just a blank email with an attachment. When the attachment is extracted there is a second .zip file inside (71344395.doc.zip) that uses double extensions in hopes that a user thinks it is a doc file, according to the researchers.

Inside the .zip archive is yet another double-extension file called 71344395.doc.jse. “This is the malicious JavaScript which pulls the payload leading to Locky,” Biasini and Schultz said. Once the JSE file executes and performs a GET request for two payloads; the Locky ransomware and the click-fraud Kovter Trojan. According to Cisco Talos, victims who pay the Locky ransom are still left with the Kovter Trojan.

Collusion between Kovter and Locky has also been observed by the PhishMe Research Team. It reported Monday the two have been sharing the same distribution channel for the past several months. “(Kovter) threat actors have evolved from using a fake file encryption threat to using a well known and effective ransomware family: Locky,” wrote PhishMe researcher Paul Burbage.

The second .rar based spam campaign kicked-off a day after the .zip variant was first spotted. As opposed sporting a blank subject line and body, as the .zip variant did, the .rar pawns itself off as a failed transaction.

“This particular campaign made use of .rar files instead of the more common zip archives. If the user extracts the archive they find a js file, doc_details.js,” researchers said.

The GET request for this variant, according to Cisco Talos, has more in common with the Dridex banking Trojan than a traditional Locky payload in that the GET request utilizes a python user agent versus a more traditional user agent.

In total Cisco Talos said campaigns were observed over the span of 24 hours earlier this week, with fewer than 1,000 messages being sent in total. Researchers say both campaigns are currently active.

(Correction: This article was updated to reflect a resurgence in Locky ransomware, not the Necurs botnet.)  

Suggested articles