It is currently 22-11-2017 11:57

The cryptographer Locky appeared followers

The cryptographer Locky appeared followers

by seo_worker » 2016-07-05 09:02:09



A researcher with Cisco Talos Warren Mercer (Mercer, Warren) reports that the well-known cryptographer Locky appeared followers called Zepto. Attackers are actively promoting the new threat, and during the week it was sent out about 140 000 malicious spam messages.

Extortionist Locky was discovered in February 2016 and in a few weeks he became the number one threat among cryptographers. Although since then it's been a few months, the first copycat came from Locky. However, the researcher notes that it does Zepto less dangerous.

A new malicious campaign has come to the attention of experts, 27 June 2016, and at that time the attackers managed to send only about 4,000 of malicious emails. The campaign quickly gained momentum, and after four days the experts observed 137 731 malicious email.



Malware distributed in .zip archives that contain malicious JavaScript. A detailed study of the problem has allowed to identify 3 305 unique samples malware, to each of which a name was assigned according to the scheme "swift [XXX|XXXX].js". To send spam, attackers used a variety of posts-bait, and the different profiles of the senders, including posing as CEO's of companies, sales staff and so on.



If the victim opens the attached archive of documents, executed JavaScript. It uses wscript.exe to run the HTTP GET to send a number of commands to the control server. While some samples malware at this stage refer to the same domain, others plucked up to nine different variants. Then Zepto starts encrypting user files by changing their extension to .zepto, which gave malware name.

Although in General, this attack vector is not new, the experts write that it is still one of the most effective. Moreover, the Parallels with Locky in this case is obvious: both the malware being delivered by mail in the form of malicious JS files, both leave behind files of the same type and even their message with the ransom note is very similar.
seo_worker
moderators
Сообщений: 767
Депозит: 0.005 BTC

Rating: 2