Today’s fax malspam word macros leads to Locky ransomware — 8 Comments

  1. Decryption key from downloaded file to exe is slBRvKoJkvxRnoyvtDoF53Z2Imyl2zNr
    Does a simple xor in blocks of 32 bytes.
    Not sure if this is supposed to thwart antivirus, as they still have to save the file to disk.

  2. Antivirus is aware of this one and the previous one.
    Kaspersky and Sophos wouldn’t let me even view the executable in a hex editor. This and the previous one
    (with key fCjsPNjCNFFWEOiPD5q4uOzBQXkWjOQP)
    They must be reusing old executables and focusing on deployment methods.

    • We’ve been stopping these for ages, but then again we have an email appliance that lets us put rules in to stop things, and that allows us to filter out certain attachment types. If you’re Joe Public, your options are limited. If you think an attachment could be bad, run it through General rule is If you don’t know the sender, be suspicious.

  3. If you think about it what they are doing it pretty trivial. They are reforming an exe file.
    all exe files start with
    00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ··············
    00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ········@·······
    So by xor-ing their file with these 32 bytes, you get the key, without downloading the docm file.
    Then use the key to reform the whole file, and send it to Antivirus vendors.
    Oops! Try again bad guys.

    BTW MZ Stands for Mark Zbikowski. He invented the exe file format.

  4. Seeing as they are doing base 64 stuff anyway, I don’t undersand why they don’t just put a base64 up and download it 😛
    Oh hold on! I already have the base64 for ‘This program cannot be run in DOS mode’ in my filter.

Leave a Reply

Your email address will not be published. Required fields are marked *