Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.

Locky is still being distributed via JS attachments, which when executed will download an encrypted version of the executable. Once the payload is decrypted to a DLL file it will run it using the following command:

"C:\Windows\System32\rundll32.exe" C:\Users\User\AppData\Local\Temp\MFJY1A~1.DLL,qwerty 323

You can see the DLL being executed by rundll32.exe in the image below.

Locky executing via  DLL
Locky executing via  DLL

Other than installing Locky via a DLL, nothing else has changed. It is still appending Zepto to the end of encrypted files and generating the same ransom notes. I am unsure what file extensions were previously being targeted, but the current extensions are:

.aes,.apk,.ARC,.asc,.asf,.asm,.asp,.asset,.avi,.bak,.bat,.bik,.bmp,.brd,.bsa,.cgm,.class,.cmd,.cpp,.crt,.csr,.CSV,.d3dbsp,.das,.dbf,.dch,.dif,.dip,.djv,.djvu,.DOC,.docb,.docm,.docx,.DOT,.dotm,.dotx,.fla,.flv,.forge,.frm,.gif,.gpg,.hwp,.ibd,.iwi,.jar,.java,.jpeg,.jpg,.key,.lay,.lay6,.lbf,.ldf,.litemod,.litesql,.ltx,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mpeg,.mpg,.ms11 (Security copy),.MYD,.MYI,.NEF,.odb,.odg,.odp,.ods,.odt,.onetoc2,.otg,.otp,.ots,.ott,.PAQ,.pas,.pdf,.pem,.php,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.PPT,.pptm,.pptx,.psd,.pst,.qcow2,.rar,.raw,.RTF,.sav,.sch,.sldm,.sldx,.slk,.sql,.SQLITE3,.SQLITEDB,.stc,.std,.sti,.stw,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tar.bz2,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.upk,.vbs,.vdi,.vmdk,.vmx,.vob,.wallet,.wav,.wks,.wma,.wmv,.xlc,.xlm,.XLS,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.xml,.zip

 

Related Articles:

Ransomware Hits HPE iLO Remote Management Interfaces

TrickBot's Screenlocker Module Isn't Meant for Ransomware Ops

RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis

The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More

XiaoBa Ransomware Retooled as Coinminer But Manages to Ruin Your Files Anyway