A week ago, Lawrence Abrams at Bleeping Computer wrote about Locky ransomware now taking a 7z form. The PC Matic Research Team has seen this new form of Locky this past week. Like many other variants of Locky, the core components which make up the binary are very similar except for the encrypted file extension switching to ykcol., locky spelled backwards.
The new initial infection vector see’s a somewhat odd usage of a 7z archive with an accompanying email which convinces the user to open the archive and file within. In our sample, the file in the archive had a .vbs extension. The Visual Basic (VBS) file, when double-clicked, attempts to run using WScript aka Windows Script Host. Visual Basic scripts can both download content from servers using the Internet and execute programs using the command shell. The VB Script is highly obfuscated to try and thwart analysis, or a least provide a nice puzzle to analysts. However, once it is deobfuscated, all it does is try a few servers for an executable file, download the file, and then run it. So much like other versions of Locky, this one still uses a typical .exe file to run. The difference is that by using a compressed 7z and vbs, it may trick certain email scanning and network scanning anti-malware platforms or make the user feel that it is a safe file too.
Here’s a look at some of the code. Please click the images for a larger picture: