Threat Research

Diligence is the Mother of Good Locky Detection

By Floser Usal Bacurio | June 01, 2016

These past few weeks, here at FortiGuard Labs we have created a system which monitors Locky ransomware.

This system collects new samples and extracts the configuration of the malware. Last 05/30/2016 and 05/31/2016, we found two new variants with some updates added to its code. In this post, we will share first its update specifically on its URI and HTTP POST request and then the new feature.


URI update

Previously, the URI had /userinfo.php which is found from its configuration. With the new variants discovered, the URI has been updated to /access.cgi, then after /upload/_dispatch.php.


Figure 1: /access.cgi post


Figure 2: /upload/_dispatch.post


As shown from Figure 1 and Figure 2, the HTTP POST Data format is different. Figure 2, which is the latest variant of Locky, now updates the encoding format of data.


New Function - Encrypted HTTP POST Data Encoding Format 

This new variant added a new function which encodes the encrypted HTTP POST Data request. From the previous variant, after encrypting the HTTP POST Data request, Locky will directly send the encrypted request in binary form. On the latest variant, with a URI that has /upload/_dispatch.php, the encrypted data is encoded using URL encoding. Also known as percent encoding, it is a mechanism use to translate character or hexadecimal value to ASCII representation. For example, in form of 0xAD hex value, it will be translated in ASCII string as %AD.


Figure 3: Added Data Encoding Function


Encoding HTTP POST Data Request

The data to be encoded has the following encoding format.

{Random Char(random length)}={URL encoded data(random chunk length from encrypted post data)}&


Figure 4: Example of Data Encoded


As with its encoding format, it uses the API CryptGenRandom(), that will be called in function genRandom_4bytes as shown in Figure 5 and Figure 6, which generates random value to be used as length of random character, length of chunk data to be encoded, and the random characters. Figure 5 also shows the complete data encoding function, as of Figure 6 shows its custom random character generator function used in front of its encoding format. 


Figure 5: Complete Data Encoding Function


Figure 6: Generate Random Character


The packet captured below shows the final encoded POST DATA which will be sent to the C&C.


Figure 7: Encoded POST DATA Packet


Conclusion

Our team will continue to monitor the development regarding this Locky malware. We will keep you posted whenever we discover new updates. Watch out for our upcoming Virus Bulletin 2016 Conference Presentation.

Sample SHA256: 03e3cc01a263edb9aefb411ebf2efb74d2130651400dc3baaa5e344ff1ec47ad

AV Signature Detection: W32/Locky.AEW!tr

Application Control Detection: Locky.Botnet


-=FortiGuard Lion Team=-

Join the Discussion