Locky Strikes Another Blow, Diablo6 Variant Starts Spreading Through Spam

Locky ransomware was first discovered in the first quarter of last year, and immediately became one of the major menaces of 2016, primarily affecting the United States.

Its effective spam delivery mechanism, combined with the constant release of variants with new evasion techniques, helped a lot with its success in the tightly packed ransomware competition. There were so many releases that there even came a point when they created some confusion regarding naming the new variants. The FortiGuard Lion Team discussed an extensive analysis of Locky’s evolution in Locky Strike: Smoking the Locky Ransomware Code, which was presented in VB last year.

Its massive distribution marathon eventually slowed down earlier this year, and we have not seen it in any major malware activity analysis ever since. This could change, however.

Spam Campaign Found in Fortinet’s KTIS

Fig.1 Recent spam campaigns leading to .diablo6 variant

A few days ago, while scouring through Fortinet’s Kadena Threat Intelligence System (KTIS)[1] , we found an emerging spam campaign. Initially, it was the scale that caught our attention, and then it got a lot more interesting when the payload was found out to be a new variant of the infamous Locky.

The image below is a screenshot from KTIS showing the overview of a spam campaign that led to a Diablo6 sample as payload. This illustration is only for one payload, and we found others with similar structure.

Fig.2 Bird’s eye view of the campaign from KTIS

Isolating a branch from the illustration allows us to look at the campaign at a closer level, as shown by the next image. The figure reveals that multiple emails have the same compressed VBS attachment, which when executed, downloads a .diablo6 Locky variant from a compromised URL. The graph also shows that at the time of this writing, two unique (different) hashes of .diablo6 had already been hosted from the URL. This means that newly created samples are being pushed, possibly with different configurations, or simply as an attempt to evade specific file signatures.

Fig.3 An isolated link set of spam mails leading to the .diablo6 variant

The next figure is based on another .diablo6 variant identified by KTIS. Only this time, the attachment is a document with a VBA script that downloads the ransomware.

Fig.4 Attached macro-enabled document downloads .diablo6 variant

Statistics based from the samples identified by KTIS show that the malicious emails are mostly distributed to the United States and Austria, as seen in the  following map.

Fig.5 Distribution map of the .diablo6 spam

Minimal Changes

Fig.6 Ransomware note of .diablo6 variant

There is no significant change in this new variant in terms of its capabilities. It should be noted, however, that this is still the malware that wreaked havoc last year and it’s not that far from doing it again today, if given the chance. And like the older versions of Locky, it is not possible to decrypt files encrypted by this variant

Most of the changes that we have discovered seem to only be attempts to complicate or prolong analysis.

This variant uses jmp instructions extensively, which can be annoying to researchers during debugging. In addition, it also now employs mangled strings that are later joined to form the victim information. This makes it harder to spot the strings during static analysis.

Fig.7 Numerous jmp instructions and mangled strings to complicate analysis

Conclusion

It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters. We’ll probably see in the next few weeks or months, or maybe never. We’ll keep watching. In the meantime, since files encrypted by Locky cannot be restored, it is always safe to assume the worst with these ransomware attacks and perform regular backups with proper data isolation.

As always, the FortiGuard Lion Team will continue to monitor Locky’s activity.

IOC

Locky .diablo6 samples

5606e9dc4ab113749953687adac6ddb7b19c864f6431bdcf0c5b0e2a98cca39e – W32/Locky.KAD!tr

f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b – W32/Locky.KAD!tr

390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891 – W32/Locky.KAD!tr

Download URL’s

http[:]//homeownersinsurance[.]ca/y872ff2f

http[:]//infopoupees[.]com/JbhbUsfs

http[:]//6tricksguides[.]com/JbhbUsfs

http[:]//love[.]chuanmeiker[.]com/JbhbUsfs

http[:]//nancywillems[.]nl/JbhbUsfs

http[:]//3sat[.]fr/y872ff2f

http[:]//bayimpex[.]be/y872ff2f

http[:]//aedelavenir[.]com/y872ff2f

http[:]//actt[.]gr/JbhbUsfs

http[:]//searchlightcare[.]com/y872ff2f

http[:]//www[.]fachwerkhaus[.]ws/y872ff2f

http[:]//henweekendsbirmingham[.]co[.]uk/y872ff2f

http[:]//nerdydroid[.]com/JbhbUsfs

http[:]//cipemiliaromagna[.]cateterismo[.]it/y872ff2f

http[:]//ambrogiauto[.]com/y872ff2f

http[:]//boschettoristorante[.]it/y872ff2f

http[:]//azlinshaharbi[.]com/y872ff2f

http[:]//tasgetiren[.]com/y872ff2f

http[:]//adnangul[.]av[.]tr/y872ff2f

http[:]//saunaesofmansatis[.]net/y872ff2f

http[:]//atesbocegianaokulu[.]com/y872ff2f

http[:]//adaliyapi[.]com/JbhbUsfs

http[:]//dbr663dnbssfrodison[.]net/af/y872ff2f

http[:]//jaysonmorrison[.]com/y872ff2f

http[:]//aisp74[.]asso[.]fr/y872ff2f

http[:]//beansviolins[.]com/y872ff2f

http[:]//2-wave[.]com/JbhbUsfs

http[:]//carriereiserphotography[.]com/JbhbUsfs

http[:]//busad[.]com/y872ff2f

Spam samples

d526b78440614dcebd66b4047019d304fb9b9c420737050ea55d1abfa08eb161

23794cdf07c99609770414fd5c6cd0caf1a9ec0c4f1925d68f0b5e7a8ead236b

ebff6f6f92bef64916212ef23a59dcad358a0723466fb0b4cd14cf5f58b1394f

9dc14fa74b10283e42d8bb56a8cf9b36a33bb1bac33a88f5170366159d9837a4

86807a048c3db1a476432b1f4bec4cad025d458bd1b483074ee4b5f2293b327f

b921b2848de8916e33ef9c3bff31c56f045da3d56736537072e6d3762d26055e

cb2fc0a89ae47875cfd6acb5da8d18e39506e532cbeb2db2af1c77563be9697f

68b50c925f1c358eb2beb706a9db1afabc777c3bf7872b309695ec9f66aca835

89615703cf230244c182a4b9480716fcc25d8c936c2e728fad2f25a9bb651558

e202a5f0ac6074ac8b0c5e49303e63b2a6d523a6c5243047b688ec3d7125adff

17fa7d1fc64f5a969fab185fe83295cd4c140ae21d075223732da2237db5c375

13f7e583cbe314730f5076491fb7ee414f205c23b8e3ac50ed557b8ebb9a72a7

839fdd4b6564193019b1a6435221a62a2394373efb2356e55957afdbe3deae0d

9eecde09c2864bb92d489984013d5ccee6464253e093163df4bc4e2ba7dabdf8

7160ef833dd1d5f0a7be0be845e5dba57fa98f5aee532c67d02b08fe1c7d76e9

c96c83422bfe01f08890fcd09737ce3a1a60029b97742ae067edfce8f71fcfc9

f395d2914017eb61d559b2a13d7b3efeae5ad087088a877aaf275205c7704836

b6ef6ad073263d7dc70c3b9a9655ef58666c401faa30ced307771bef03440227

b95803bfb0e2bf835c884f52adc21dfabfaa8fdb402d346a029419ba23acd730

a3ba57d04d452844d7140fa95c283a187cac8e224e9e30562f6757258b4079fd

6bcb6430e8ccf1805c340330b8b970c6fbefa032e55020ce90a921e31bec77a9

69737983d64848a2323d17f793f139a579d3a9fa2e290015c2265893a8a8d26b

ce4d3d16913a16f61b9f279448696908077e7aeb3f480cdd257aa6ee0af93e43

e8c3f89904d84312963f433c1422658467e958c56d2c005306853a0066200fca

9a2ff85fb39c0480696f0a58cf78ef43f2428c482ee312a57b55b9a181abaf0e

e1eea13a7f28c4626e3acdc5b9c23d5be7e9eaaa09b67211749737e32803cd64

9527c3ecb6dca98dad4e095b4fdde3fe5757628c58da1f34370e4ea7eaec9319

ffd4776c073f122f11e420259dbd41b2c995798dbc0c26f2f352aafd0b8d01a7

6bb3fd71acfb2f061c2e906ae13d9bd60640c407898a6fa202b1de0e4c7fd4b4

3cfbd47c1406c581d72ec8d83d35e9b1accc9428c6620699fb99d9e67e3db55a

9646251f4b9c2053c60df5df91d3beaec4861edfe3e9d100e2150dda86c7df8a

10c10d3e05dd5f04bf39a5aa75546c8800b1942f52d48d5ff6e8bad487e4fe35

5ad28f0fb29466444642145e37f96330758a8650d74a9a743201076227542771

6d2494645fed716f89abba89aea9f39fece41202af6e8daa9e9e196296916242

dad515d0dc05433db10b740d0e34f7f3e9d0887daeb8487ed8f336e7a46239d3

a143c4452d463485428f7295a83b2e9a3d5e410737e35384380529f84f20525b

be557f8a70e356bf57e3fd3dbe89b86529fe56a6c7897f362e37ee0a2464f88e

6599ea647c92e50bc878f343068bddc5639afaee10e00f1926783572eab5fa37

cccd4bc21b65145d3810d457c009d09bb78c72296515013b1edcd250d3072e7e

7c5e0e114d0a4ea0f3b205ba2b51540c637bbedc1ed307bdc64129816835b26c

74be6049dc90aa4be468abcb1b56f9590c0c6c2b1fb2144b254469cc66297afc