Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript

We have recently observed new campaigns of Locky and have described
them below.

XOR obfuscation

Locky arrives through a spam email attachment that evades antispam
filters and attempts to trick users via social engineering into opening
the attachment. In general practice, these Locky payloads have not been
obfuscated in these campaigns. On May 24 we first observed a payload
obfuscated with XOR. XOR (exclusive OR) obfuscation is a logical
operation that outputs “true” only when inputs differ. This technique is
simple, fast, and generally effective to evade the detection. In this
case the malware was XORed with 0xFF.
JavaScript obfuscation

As expected, the attackers have now come up with a new twist, encoding
the downloaded file. This step is a new and different deployment
behavior to avoid detection. In the last couple of days, we have
received several samples of this kind.

  • Wednesday, 15 Jun 2016
  • By admin

Monitoring National Internet Traffic

National internet traffic monitoring report featuring weekly traffic reports, monthly traffic reports and annual traffic reports.

System Security & Vulnerability Threat Warning

A collection of articles about the early warnings of security threats and system vulnerabilities.

Security News

Newsgroups of Cyber Security or IT.