本帖最后由 jasonliul 于 2016-8-29 14:31 编辑
The criminal group behind the Locky ransomware has updated their malware, and newer versions of this threat are being installed disguised as DLL files, instead of the classic EXE binaries.
The Locky ransomware has morphed more than any other ransomware active today. The reason behind this is because the malware was created and developed by the same group that created the Dridex banking trojan, who also owns one of the most active botnets on the Internet.
As such, resources are never scarce with this group, who have both the money, time, and knowledge to evolve their ransomware with new techniques at regular intervals, in order to avoid security software and keep security researchers on their toes.
"Locky experiments with DLLs instead of EXEs"
The latest of this change is an update to how Locky reaches its victims and how the encryption process starts.
According to cyber-security vendor Cyren, recent Locky versions drop DLL files on infected computers, instead of EXE files. The rest of the infection chain remains as we know it. 改玩dll制式
Locky reaches victims via spam messages that have a ZIP file attached to the email body. Unzipping this ZIP drops a JavaScript file, which when executed downloads the DLL file (instead of the classic EXE).
This file is injected into a process, and its malicious code executed, which starts the file encryption operation. Another new feature is that this DLL file uses a custom packer to prevent anti-malware scanners to easily detect it.
This version locks files and appends the .zepto extension at the end, meaning this a version of the Zepto ransomware, another name for Locky, but still the Locky ransomware.
"Locky has suffered many changes"
In the past, Locky has suffered many other mutations. Some have lasted, some not.
For example, Locky spam using Office documents 使用官方文档制式 and WSF files instead of ZIP & JS files has gone up. Other versions have used websites with vulnerable PHP forms to send the email spam, instead of the classic botnets used by the Dridex gang.
Towards the end of July, Locky experimented with embedding the entire ransomware binary in the JS file and then reconstructing the EXE file when executing the JS file, instead of downloading it from an online server.
Another version also added support for working without an Internet connection, even if it featured a weaker encryption method.
It's these constant updates that have kept Locky one step ahead of security researchers, and that's why a decrypter has never been created for Locky until now.
来源
http://news.softpedia.com/news/n ... l-file-507646.shtml
其他详细信息 bleeping恶软社区
Locky / Zepto Ransomware
http://www.bleepingcomputer.com/ ... stalled-from-a-dll/
这玩意真是如火如荼~~~
 |
发表于 2016-8-29 14:26:29
楼主
