{"id":6334,"date":"2017-01-23T15:50:25","date_gmt":"2017-01-23T23:50:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-172\/"},"modified":"2017-01-23T15:50:25","modified_gmt":"2017-01-23T23:50:25","slug":"news-172","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-172\/","title":{"rendered":"The new .LNK between spam and Locky infection"},"content":{"rendered":"

Just when it seems the Ransom:Win32\/Locky<\/a> activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors might be using to keep it going.<\/p>\n

The decline in Locky<\/a> activity can be attributed to the slowdown of detections of Nemucod<\/a>, which Locky<\/a> uses to infect computers. Nemucod<\/a> is a .wsf file contained in .zip attachments in spam email (see our Nemucod WSF blog<\/a> for details). Locky<\/a> has also been previously distributed by exploit kits and spam email attachments with other extensions such as .js, .hta, etc.<\/p>\n

\"The<\/a><\/p>\n

Figure 1. The graph shows that <\/em>Locky<\/u><\/em><\/a> machine encounters has recently been low<\/em><\/p>\n

\u00a0<\/em><\/p>\n

\"Nemucod<\/a><\/p>\n

Figure 2: Nemucod detection peaked early in October 2016<\/em><\/p>\n

 <\/p>\n

We observed that the Locky<\/a> ransomware writers, possibly upon seeing that some emails are being proactively blocked, changed the attachment from .wsf files to shortcut files (.LNK extension) that contain PowerShell commands to download and run Locky<\/a>.<\/p>\n

An example of the spam email below shows that it is designed to feign urgency. It is sent with high importance and with random characters in the subject line. The body of the email is empty.<\/p>\n

\"Example<\/a><\/p>\n

Figure 3: Example of a spam email that could lead to a <\/em>Locky<\/em><\/a> infection<\/em><\/p>\n

 <\/p>\n

The spam email typically arrives with a .zip attachment, which contains the .LNK files. We\u2019ve observed that the attachment is named bill, possibly meant to trick users into thinking it is a bill they need to pay. In opening the .zip attachment, users trigger the infection chain.<\/p>\n

\".LNK<\/a><\/p>\n

Figure 4: .LNK file inside the zip attachment<\/em><\/p>\n

 <\/p>\n

Inspecting the .LNK file reveals the PowerShell script.<\/p>\n

\"Embedded<\/a><\/p>\n

Figure 5: Embedded PowerShell command in the shortcut file<\/em><\/p>\n

 <\/p>\n

This threat is detected as TrojanDownloader:PowerShell\/Ploprolo.A<\/a>.<\/u><\/p>\n

When the PowerShell script successfully runs, it downloads and executes Locky<\/a> in a temporary folder (for example, BJYNZR.exe<\/em>), completing the infection chain.<\/p>\n

\"Embedded<\/a><\/p>\n

Figure 6: Embedded PowerShell command used to download the payload<\/em><\/p>\n

 <\/p>\n

The payload malware is the recent version of Locky<\/a> that has the following characteristics:<\/p>\n