Locky Ransomware has a piece of a history of going silent and growing back all of a sudden.It is evolving again and spreading via Microsoft Office Word documents.
A new wave of locky spreading through Office word documents and well as Libra office documents and the attachment looks like below.
Security researchers from Avira detected this new variant, which tricks the user into clicking the malicious file which and thereby locky will execute and your files will be encrypted and it changes to extension .asasin.
Files are being encrypted using RSA-2048 and AES-128 ciphers, and the private key available only with their servers and they are providing a .onion website which is opened in TOR for further communications. according to the following image.
Also Read: Important Security practices for users to Open Microsoft Office Documents Securely
The image in the document linked to run a PowerShell script, which tends to download another script from using Invoke-Expression which runs specific string as a command and return backs the expression.
Then the second script executes and downloads the executable dropper into %temp% folder compiled with Microsoft VC 2013 and multiple layers obfuscation to trick the victims and from security to make the reversing process tedious.
Also Read: Everything you Need to Know About The Evolution of LockyRansomware.
Avira researchers found multiple unwanted strings including the one for system32\calc.exe, by including multiple strings attacker tries to mislead the victims and make them think as the legitimate file.
Once it’s made a new process it copies to “svchost.exe” and delete the first executable by creating a new process and then it will gather information about operating systems.
Then later it passes information encrypted to the C&C servers along with the extent to retrieve the private key.
Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the…
Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the…
A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and…
Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two Chinese Advanced Persistent Threat (APT) groups…
Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft SharePoint Server, CVE-2023-24955. This vulnerability poses…
Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included in the Edge Bounty Program. The…