2 min read

Locky updated to exploit Office DDE feature and spread ransomware

Filip TRUȚĂ

October 23, 2017

Locky updated to exploit Office DDE feature and spread ransomware

A legitimate feature in Microsoft Office that allows Word to load data from other documents is being exploited to push a new variant of the Locky ransomware. Victims are reportedly targeted with malspam messages via the infamous Necurs botnet.

Under the subject line “Emailed Invoice” followed by a string of random numbers, the malspam attack leverages Microsoft Dynamic Data Exchange (DDE). Distributed with the aid of the Necurs botnet, the exploit makes Microsoft Word display dialog messages that some users might dismiss reflexively, even though the dialogs contain security warnings.

Unbeknown to them, the succession of clicks ultimately downloads and runs the Locky ransomware, locking down the victims” hard drives and demanding 0.25 Bitcoin ($1,474 at today”s trading) in ransom money for the decryption keys.

Some reports claim that new version of Locky also exploits SMB flaws in non-patched computers on a network to spread to additional victims, in what would be described as wormable behavior similar to the WannaCry pathogen back in May. However, it isn’t yet clear if this is indeed the case.

The attack uses several elements to try and hide from antivirus software:

  • It exploits what is essentially intended functionality (Microsoft itself calls DDE a feature, not a bug), so as the user clicks through the security warnings, it may already be too late. As infosec expert Vess (VessOnSecurity) puts it, “Works as intended, you do get a warning. Nothing to patch.”
  • The attachment appears as a benign 7zip attachment, making it difficult for antimalware solutions to discriminate against it.
  • It uses an encrypted txt file that gets converted to a working Locky file, again, after the fact.
  • If email spoofing is employed, the infected file can appear to come from a known sender, further increasing the possibility of fooling the user.

 

The illustration above depicts – in the simplest form – how the attack unfolds, courtesy of Brad Duncan (on duty at ICS at the time of discovery).

The updated Locky ransomware has been circulating for two months, but no major attacks have so far been recorded.

Users should follow basic safety rules and avoid downloading email attachments they are not expecting.

Bitdefender security solutions protect against this new ransomware threat.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read