Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.

Locky is still being distributed via JS attachments, which when executed will download an encrypted version of the executable. Once the payload is decrypted to a DLL file it will run it using the following command:

"C:\Windows\System32\rundll32.exe" C:\Users\User\AppData\Local\Temp\MFJY1A~1.DLL,qwerty 323

You can see the DLL being executed by rundll32.exe in the image below.

Locky executing via  DLL
Locky executing via  DLL

Other than installing Locky via a DLL, nothing else has changed. It is still appending Zepto to the end of encrypted files and generating the same ransom notes. I am unsure what file extensions were previously being targeted, but the current extensions are:

.aes,.apk,.ARC,.asc,.asf,.asm,.asp,.asset,.avi,.bak,.bat,.bik,.bmp,.brd,.bsa,.cgm,.class,.cmd,.cpp,.crt,.csr,.CSV,.d3dbsp,.das,.dbf,.dch,.dif,.dip,.djv,.djvu,.DOC,.docb,.docm,.docx,.DOT,.dotm,.dotx,.fla,.flv,.forge,.frm,.gif,.gpg,.hwp,.ibd,.iwi,.jar,.java,.jpeg,.jpg,.key,.lay,.lay6,.lbf,.ldf,.litemod,.litesql,.ltx,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mpeg,.mpg,.ms11 (Security copy),.MYD,.MYI,.NEF,.odb,.odg,.odp,.ods,.odt,.onetoc2,.otg,.otp,.ots,.ott,.PAQ,.pas,.pdf,.pem,.php,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.PPT,.pptm,.pptx,.psd,.pst,.qcow2,.rar,.raw,.RTF,.sav,.sch,.sldm,.sldx,.slk,.sql,.SQLITE3,.SQLITEDB,.stc,.std,.sti,.stw,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tar.bz2,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.upk,.vbs,.vdi,.vmdk,.vmx,.vob,.wallet,.wav,.wks,.wma,.wmv,.xlc,.xlm,.XLS,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.xml,.zip

 

Related Articles:

King Ouroboros Ransomware Dev Vents to Researchers on Twitter

The Week in Ransomware - July 13th 2018 - CoinVault Court Case & More

Magniber Ransomware Expands From South Korea to Target Other Asian Countries

CoinVault Ransomware Authors Have Their Day in Court in the Netherlands

Cass Regional Medical Center Hit With Unidentified Ransomware