Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.

Locky is still being distributed via JS attachments, which when executed will download an encrypted version of the executable. Once the payload is decrypted to a DLL file it will run it using the following command:

"C:\Windows\System32\rundll32.exe" C:\Users\User\AppData\Local\Temp\MFJY1A~1.DLL,qwerty 323

You can see the DLL being executed by rundll32.exe in the image below.

Locky executing via  DLL
Locky executing via  DLL

Other than installing Locky via a DLL, nothing else has changed. It is still appending Zepto to the end of encrypted files and generating the same ransom notes. I am unsure what file extensions were previously being targeted, but the current extensions are:

.aes,.apk,.ARC,.asc,.asf,.asm,.asp,.asset,.avi,.bak,.bat,.bik,.bmp,.brd,.bsa,.cgm,.class,.cmd,.cpp,.crt,.csr,.CSV,.d3dbsp,.das,.dbf,.dch,.dif,.dip,.djv,.djvu,.DOC,.docb,.docm,.docx,.DOT,.dotm,.dotx,.fla,.flv,.forge,.frm,.gif,.gpg,.hwp,.ibd,.iwi,.jar,.java,.jpeg,.jpg,.key,.lay,.lay6,.lbf,.ldf,.litemod,.litesql,.ltx,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mpeg,.mpg,.ms11 (Security copy),.MYD,.MYI,.NEF,.odb,.odg,.odp,.ods,.odt,.onetoc2,.otg,.otp,.ots,.ott,.PAQ,.pas,.pdf,.pem,.php,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.PPT,.pptm,.pptx,.psd,.pst,.qcow2,.rar,.raw,.RTF,.sav,.sch,.sldm,.sldx,.slk,.sql,.SQLITE3,.SQLITEDB,.stc,.std,.sti,.stw,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tar.bz2,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.upk,.vbs,.vdi,.vmdk,.vmx,.vob,.wallet,.wav,.wks,.wma,.wmv,.xlc,.xlm,.XLS,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.xml,.zip

 

Related Articles:

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection