What’s Locky Ransomware ?

Hello everybody,

Locky Ransomware Spreads via Flash and Windows Kernel Exploits.

zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player recently. Magnitude Exploit Kit, used this flaw soon after and Adobe released an out-of-cycle patch. This flaw was exploited to lead drive-by download attacks with Locky ransomware as the payload. There’s more threats except the ransomware. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies.

This has been analysed using captured network traffic and a downloader file (detected as TROJ_LOCKY.DLDRA). The network traffic was consistent with the use of a CVE-2016-1019 exploit. Meanwhile, the downloader used an unusual kernel exploit. It connected to a command-and-control (C&C) server located at 202[.]102[.]110[.]204:80 and installed the Locky ransomware. To do this, it would use several kernel-level system mechanisms: work items, system threads, and asynchronous procedure calls (APC).  These do not require any files to be created, and allow the malware to be installed onto the system without detection.

The downloader hides its malicious behavior at runtime and compromises svchost.exe, the system process used by Windows to host various services. It also checks the version of Windows in use and the date when the vulnerable file (win32k.sys) was modified before attempting the exploit; this may be done to reduce the risk of detection.

The exploit may have been used to avoid detection, particularly those using sandboxing technology. In addition, the cloaking behavior based on this kernel exploit adds complexity and makes analysis and sandbox detection more difficult. A code branch found during analysis suggests different kernel exploits may be used for later versions of Windows.


This downloader used complex and subtle techniques to connect back to its C&C server. We believe that was done to hide its malicious routines under seemingly normal and benign system behavior which can be white-listed or bypass any defenses.

Relatively few people pay attention to kernel exploits, or any behavior caused by these. That may be one reason the downloader used this technique. In addition, using system provided mechanisms such as work items, APCs, and system threads are usually disregarded and not monitored for malicious behavior. Doing so is also difficult, as their structures are usually volatile and only executed at run-time.

On the other hand, the svchost process connecting to outside networks is considered perfectly normal, as the process is designed to provide many services for other Microsoft processes. Hiding network traffic here would be considered ideal.

It is strongly advised to update systems with the latest version of Adobe Flash Player.

See the technical details with diagrams at: http://blog.trendmicro.com/trendlabs-security-intelligence/locky-ransomware-spreads-flash-windows-kernel-exploits/

Source: Akati

Comments are closed.