Researchers at Avira Virus Lab detected a new strain of the Locky ransomware that is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.
The new Lock Ransomware appends the same “.asasin” extension to the file names of encrypted documents as samples analyzed by security firm PhishMe in October.
The malware authors attempt to trick the victims into double-clicking the envelope.
“This new wave is being spread through Office Word documents, not only Microsoft but also other programs such as Libre Office, which look like the following image:”
“By doing so, this sets off a cascade of actions which will end in all valuable files being encrypted and the user getting the following message.” states the analysis published by Avira.
Once the users double-click the image, a series of actions is triggered, ending with the encryption of the files on the infected machine.
The analysis of the image included in the bait Word document revealed a LNK file (Windows shortcut), by pasting the command into a text editor, the researchers discovered it is meant to run a PowerShell script.
“The script is in clear text and can easily be read. Its intent is to download another PowerShell script from a link embedded in the script and then run this script by using the Invoke-Expression function.” continues the analysis.
The second script connects a server controlled by the operators and downloads a Windows executable file, which includes several stages of code obfuscation to confuse analysts and trick people into thinking it’s a clean file.
The new strain of Locky ransomware collects information about the operating system and sends it, encrypted, to the command-and-control server that in turn replies with the encryption key.
The rapid evolution of ransomware in the threat landscape is worrisome, and this case demonstrates it.
Security experts are observing a rapid evolution of the Locky ransomware, recently they have seen it spreading via spam campaigns that rely on the Necurs botnet. A couple of weeks ago, operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection.
One of the new techniques adopted by the crooks is the use of the Dynamic Data Exchange (DDE)protocol designed to allow data transferring between applications.