Locky malware being distributed via 7z/script

A week ago, Lawrence Abrams at Bleeping Computer wrote about Locky ransomware now taking a 7z form. The PC Matic Research Team has seen this new form of Locky this past week. Like many other variants of Locky, the core components which make up the binary are very similar except for the encrypted file extension switching to ykcol., locky spelled backwards.

The new initial infection vector see’s a somewhat odd usage of a 7z archive with an accompanying email which convinces the user to open the archive and file within. In our sample, the file in the archive had a .vbs extension. The Visual Basic (VBS) file, when double-clicked, attempts to run using WScript aka Windows Script Host. Visual Basic scripts can both download content from servers using the Internet and execute programs using the command shell. The VB Script is highly obfuscated to try and thwart analysis, or a least provide a nice puzzle to analysts. However, once it is deobfuscated, all it does is try a few servers for an executable file, download the file, and then run it. So much like other versions of Locky, this one still uses a typical .exe file to run. The difference is that by using a compressed 7z and vbs, it may trick certain email scanning and network scanning anti-malware platforms or make the user feel that it is a safe file too.

Here’s a look at some of the code. Please click the images for a larger picture:

Game function which is never called in malware

The first shot contains an interesting video-game like function called Anim2Uniball, which is never called. Possibly meant to throw off automated analysis systems

RobertBaration

Secondly, we have another useless function which is never called, named RobertBaration, a likely misspelling of Robert Baratheon from the popular show, Game of Thrones.

Lurkmoremanoeuvring variable names

Finally, here is some functionality which is used but which has nonsensical names. It is clear that an “automatic obfuscator” program was not used here because that would have replaced every string with complete gibberish or random numbers. In this case, the author of the script used nonsensical names but the names do hold actual meaning in other contexts, such as RobertBaration

Using the methods outlined in this post, we successfully deobfuscated the program and extracted as much info as possible. You will notice that the previous post is titled “Deobfuscating JavaScript Malware” and this one contains a Visual Basic Script instead of JavaScript. Although the language is different, the methodology of deobfuscating and even running the two is the same. Both types of scripts can be evaluated by Windows Script Host, both can download and run files, and both essentially work in the same manner to deliver malware. PC Matic SuperShield will protect against this threat with its superior whitelisting approach.

(Visited 82 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *