New Downloader for Locky

Through DTI Intelligence analysis, We have been observing Locky
malware rise to fame recently. Locky is ransomware that is
aggressively distributed via downloaders attached in spam emails, and
it may have surpassed the Dridex banking trojan in popularity. In
previous campaigns, the ransomware was downloaded by a macro-based
downloader or a JavaScript downloader. However, in April 2016, FireEye
Labs observed a new development in the way this ransomware is
downloaded onto a compromised system.

In a recent Locky spam campaign using ‘Photos’ as a theme (Figure
1), we saw a new binary being downloaded by the JavaScript found in
the attached ZIP file, as seen in Figure 2. This JavaScript downloader
reached out to “hxxp://”.

Figure 1: Recent Locky spam campaign

Figure 2. Locky spam ZIP attachment containing
JS downloader

New Downloader (MD5: c5ad81d8d986c92f90d0462bc06ac9c6)

The new downloader has a custom network communication protocol. In
our tests, it only downloads the Locky ransomware as its payload. This
malware seems to be in its early development stage as it only supports
commands for download and execution of an executable and deletion of
itself. This means the malware can also update its own binary, leading
to the possiblity of more commands being supported.

The malware communicates with its command and control (C2) over HTTP
using a custom encryption algorithm. The first beacon to the
hard-coded C2 asks for a task to be executed by the malware. An
example of the unencrypted message sent to C2 is formatted, as shown
in Figure 3.

Figure 3. Raw message format

ID1 – derived from HDD Volume Serial Number
ID2 – 2222222222
(hard-coded value)
ID3 – random generated number
ID4 –
derived from bit-masked OS version and system architecture
– UTC time the message is created
type – getjob (hard-coded value)

This beacon string is encrypted with the custom algorithm shown in
Figure 4 before sending it to its C2. The custom encryption is
composed of XOR and bit shifts.

Figure 4. Custom string encryption

After encryption, an ‘A’ (0x41h) character is appended to the
encrypted message. The beacon request is delivered via an HTTP POST
request. In this sample, it reaches out to
hxxp://, as shown in Figure 5.

Figure 5. Encrypted HTTP POST request and C2 response

The C2 server responds with an encrypted message that tells the
malware what action to take. Decrypting the C2 response is possible
with the Python code shown in Figure 6.

Figure 6. C2 reponse decryptor

The decrypted message shows a URL to download a binary and, in this
case, an updated Locky binary.

Figure 7. Decrypted message

The ‘command’ field can be ‘UPDATE’, ‘NOTASKS’, and ‘DEL’ –
‘NOTASKS’ being no further instructions from the C2 for the moment and
‘DEL’ for deletion of the downloader from the victim machine through
drop and execute of a batch file.

Further inspection of this malware reveals several small DLL files
embedded in the binary. These DLLs may be used depending on the OS
environment of the compromised system. The following is a brief
description of the embedded DLLs:

1.  32-bit and 64-bit DLLs, which executes a file via the
CreateProcessW API.
2.  64-bit binary used for bypassing User
Account Control (UAC). Debug symbol path is not stripped in the
64-bit binary which can elevate privileges for a specified process.

Locky DGA update

The Locky sample downloaded (MD5: 357c162a35c3623d1a1791c18e9f56e7)
has updated its DGA. The DGA has the following differences:

  • TLD is not randomly generated and is picked from the following
    list: ["ru", "info", "biz",
    "click", "su", "work", "pl",
    "org", "pw", "xyz"]
  • Constant
    0x2709a354 is no longer used
  • Introduced new constants:
    0x1bf5, 0xd8efffff, 0x65cad

We provide an update to the shared DGA code from our previous blog,
as shown in Figure 8.

Figure 8. Updated Locky Domain Generation Algorithm


The actors behind the Locky ransomware are actively seeking new ways
to successfully install their malware on victim computers. That may be
one of the reasons this new downloader is used and being introduced to
the current distribution framework. This downloader can be a new
platform for installing other malware (“Pay-per-Install”).


Spam EML

  • 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660
  • 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10


  • b0ca8c5881c1d27684c23db7a88d11e1
  • c5ad81d8d986c92f90d0462bc06ac9c6
  • ebf1f8951ec79f2e6bf40e6981c7dbfc
  • 357c162a35c3623d1a1791c18e9f56e72bcd76f6ef9f4cbcf5952f62b9bc8a08
  • b0ca8c5881c1d27684c23db7a88d11e1
  • c325dcf4c6c1e2b62a7c5b1245985083



This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog