We have recently observed new campaigns of Locky and have described
them below.
XOR obfuscation
Locky arrives through a spam email attachment that evades antispam
filters and attempts to trick users via social engineering into opening
the attachment. In general practice, these Locky payloads have not been
obfuscated in these campaigns. On May 24 we first observed a payload
obfuscated with XOR. XOR (exclusive OR) obfuscation is a logical
operation that outputs “true” only when inputs differ. This technique is
simple, fast, and generally effective to evade the detection. In this
case the malware was XORed with 0xFF.
...
JavaScript obfuscation
As expected, the attackers have now come up with a new twist, encoding
the downloaded file. This step is a new and different deployment
behavior to avoid detection. In the last couple of days, we have
received several samples of this kind.
Id-SIRTII/CC has the main duty to socialize with stake holders related to IT Security, to do an early monitoring and detection, give an early warning against threats to telecommunication networks from both inside and outside country, particularly in the security measures of network utilization, creating/performing/developing log files and statistics of Indonesian’s internet security.
