We have recently observed new campaigns of Locky and have described
Locky arrives through a spam email attachment that evades antispam
filters and attempts to trick users via social engineering into opening
the attachment. In general practice, these Locky payloads have not been
obfuscated in these campaigns. On May 24 we first observed a payload
obfuscated with XOR. XOR (exclusive OR) obfuscation is a logical
operation that outputs “true” only when inputs differ. This technique is
simple, fast, and generally effective to evade the detection. In this
case the malware was XORed with 0xFF.
As expected, the attackers have now come up with a new twist, encoding
the downloaded file. This step is a new and different deployment
behavior to avoid detection. In the last couple of days, we have
received several samples of this kind.
- Wednesday, 15 Jun 2016
- By admin