A week ago, Lawrence Abrams at Bleeping Computer wrote about Locky ransomware now taking a 7z form. The PC Matic Research Team has seen this new form of Locky this past week. Like many other variants of Locky, the core components which make up the binary are very similar except for the encrypted file extension switching to ykcol., locky spelled backwards.
The new initial infection vector see’s a somewhat odd usage of a 7z archive with an accompanying email which convinces the user to open the archive and file within. In our sample, the file in the archive had a .vbs extension. The Visual Basic (VBS) file, when double-clicked, attempts to run using WScript aka Windows Script Host. Visual Basic scripts can both download content from servers using the Internet and execute programs using the command shell. The VB Script is highly obfuscated to try and thwart analysis, or a least provide a nice puzzle to analysts. However, once it is deobfuscated, all it does is try a few servers for an executable file, download the file, and then run it. So much like other versions of Locky, this one still uses a typical .exe file to run. The difference is that by using a compressed 7z and vbs, it may trick certain email scanning and network scanning anti-malware platforms or make the user feel that it is a safe file too.
Here’s a look at some of the code. Please click the images for a larger picture:
Using the methods outlined in this post, we successfully deobfuscated the program and extracted as much info as possible. You will notice that the previous post is titled “Deobfuscating JavaScript Malware” and this one contains a Visual Basic Script instead of JavaScript. Although the language is different, the methodology of deobfuscating and even running the two is the same. Both types of scripts can be evaluated by Windows Script Host, both can download and run files, and both essentially work in the same manner to deliver malware. PC Matic SuperShield will protect against this threat with its superior whitelisting approach.
