Analysis of the Locky infection process

infeccion-locky-623x432

In recent months, there has been a significant increase in the number of networks and users affected by ransomware known as Locky, which is used to encrypt a victim’s files and then demand a ransom to be paid in bitcoins. But, how does this threat manage to infiltrate computer systems and hijack data? From the ESET Research Lab in Latin America, we can explain the steps and the methods used by cybercriminals to evade various layers of security.

The diagram below shows the Locky infection process leading to the payload. Initially, the user will receive an email which may be based on one of a number of topics and in various languages. This email will contain a Microsoft Office document in an attachment (this could be .DOC, .DOCM or .XLS). This document creates a BAT file, which in turn creates another file in VBScript code. Between them, these files will later download the main threat, detected by ESET solutions as Win32/Filecoder.Locky.

Graph_EN

Below we will give a step-by-step explanation on each of the above components and how they perform their malicious actions to achieve their goal. Finally, we will take a look at how proactive detection can protect users.

1. Document with malicious macros

Fraudulent documents contain malicious macros, which are executed when the user clicks on the button saying “Enable content”. Once macros have been enabled, the code executes automatically to begin the infection, as seen in the following image:

Locky

We can perform a more deep-seated analysis to look at the macros which create the first part of the infection. Among them we can highlight three specific lines of code which create a BAT file called. “Ugfdxafff.bat”. We then see the  “Write” function, which will write base64 encrypted code in this file, and finally the  “Shell” function executes the BAT file, as we can see in the following screenshot:

Locky

2. BAT and VBS scripts

The purpose of the “ugfdxafff.bat” file is to create a VBScript file, which will work alongside it, including a URL to download the payload – in this case labeled as “asddddd.exe”.

Finally, the BAT file will execute the BAT file using the command “start asddddd.exe” and delete the VBS, just as it will delete itself in order to remove any evidence from the system. This sequence of actions can be seen in the following screenshot:

Screen Shot 2016-03-31 at 19.04.03

3. Proactive detection

One of the most important points to remember when faced with how Locky works is to understand that this set of intermediate steps, in which a proactive security solution combined with user awareness and education, will enable the attack to be blocked before it reaches your inbox or before macros are enabled.

The acceptance of spam emails by users or company employees is one of the points of entry for this type of threat, so that it can hijack company data and generate a huge problem for users.

Conclusion

It is important to take into account the risks inherent to using macros in a Microsoft Office document, as this could compromise personal or work data and files, not to mention an entire corporate network.

This is why it is crucial that all users become educated about trends in computer crime and the effects of threats like ransomware. They must internalize best practices in computer security. The main thing, of course, is to use a properly configured, up-to-date antivirus program to avoid this type of malicious code from harming systems. Then information in this article can also be used as advice to prevent ransomware.

Analysed data

Win32/Filecoder.Locky.A

Md5: dba9a404a71358896100f9a294f7c9a3

VBA/TrojanDownloader.Agent.AUD

Md5: c7d3afbe92d91cd309cce2d61d18f268

BAT/TrojanDownloader.Agent.NHW

Md5: 30f0378659496d15243bc1eb9ba519ef

VBS/TrojanDownloader.Agent.NZN

Md5: 048820a62c0cef4ec6915f47d4302005

by Diego Perez, ESET Latin America


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s