New Locky Ransomware Uses JScript files to avoid detection in the wild (Jul 27,2016)


The Dell Sonicwall Threats Research team observed reports of a new Spam wave of Locky Malware family named GAV: JScript.Nemucod.AY and JScript.Grabber.KM actively spreading in the wild.

This recently discovered variant of the Locky uses Encrypted JScript files to avoid detection.

The malware spreads via spam waves and since the malware comes with a simple Jscript file its seems legitimate and trustworthy at first glance.

Infection Cycle:

The Malware uses the following icons:

The Malware adds the following files to the system:

  • detailed analysis.wsf

    • %Userprofile%Local SettingsTempXobkg60rnv.exe

  • Sales report.wsf

    • %Userprofile%Local SettingsTempmSsruTKAbsXRp.exe

The Malware comes in two different versions, one acts as downloader and the other act as dropper.

Here is an example of downloader version:

As you can see the malware uses some Jscript technique to evade detections by firewalls.

Here is the dropper example witch comes with an embedded executable file.

Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local Settings Temp folder.

The Malware encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back.

After encrypting all the personal documents and files it shows the following web page:

It demanded victims pay the equivalent of Money in Bitcoin virtual currency in order to receive the decryption key that allows them to recover their files.

Command and Control (C&C) Traffic

The Malware performs C&C communication over 80 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: JScript.Nemucod.AY (Trojan)

  • GAV: JScript.Grabber.KM (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.