{"id":11172,"date":"2022-04-12T05:42:07","date_gmt":"2022-04-12T05:42:07","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11172"},"modified":"2022-04-12T05:42:07","modified_gmt":"2022-04-12T05:42:07","slug":"continuing-with-locky-delivered-via-malspam","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/continuing-with-locky-delivered-via-malspam\/","title":{"rendered":"Continuing With Locky Delivered Via Malspam"},"content":{"rendered":"
I haven\u2019t posted much this week about the continual Locky JavaScript downloaders because they quite frankly haven\u2019t been worth bothering with. Yes, there have been quite a few of them, but they have been such generic emails with such vague subjects as Photos, invoice, financial report, images etc. Some of them have had a generic bland body saying something like the below, where the alleged senders name matches the name in the body of the email and the job changes with each email.<\/p>\n
Hello rob,<\/em><\/p>\n I have attached the financial report you requested.<\/em><\/p>\n Regards<\/em><\/p>\n Karin Pacheco<\/em><\/p>\n Business Director USA Job<\/em><\/p>\n Today\u2019s are no different so far. coming in 2 batches. 1st about a financial report and the second with a totally blank body saying images, photos or pictures. The 1st ones contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation.<\/p>\n The alleged senders name matches the name in the body of the email. The job title is also random and can be anything from Sales Director, Account Director or any other position that any company might think of. This Blog post\u00a0describes how to manually deobfuscate these horridly difficult & tricky JavaScript files. There are numerous download locations, but all eventually end up with the same Locky ransomware binary. Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware<\/p>\n The second batch about photos are easy to deal with and contain a minimally obfuscated JavaScript file that downloads a working .exe file directly<\/p>\n They all deliver Ransomware versions that encrypt your files and demand money ( about \u00a3350\/$400) to recover the files.<\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t.<\/p>\n Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n 29 June 2016 : photo42744.zip : Extracts to: NIKON00061473034407.js Current Virus total detections<\/a>: MALWR shows a download from which was renamed on download to spuMCzFlvvg.exe ( VirusTotal<\/a>)<\/p>\n 29 June 2016 : rob_report_xls_227699.zip : Extracts to: swift 7c7.js Current Virus total detections<\/a>: MALWR shows a download from which gives an encrypted file that is detected as plain txt or data but gets converted by the javascript to ye6WVhz4F2H94WZX.exe ( VirusTotal<\/a>)<\/p>\n Previous campaigns over the last few weeks have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions. Dridex \/Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware or Banking password stealer Trojans.<\/p>\n This is another one of the files that unless you have \u201cshow known file extensions enabled<\/a>\u201c, can easily be mistaken for a genuine DOC \/ PDF \/ JPG or other common file instead of the .EXE \/ .JS file it really is, so making it much more likely for you to accidentally open it and be infected.<\/p>\n