Locky ransomware continues to bypass security

XORed JavaScript used to evade detection

Hackers looking to plant Locky ransomware on victim's systems are using XOR obfuscation and reversing the bytes on the payloads to evade detection by network security tools.

According to investigations by security firm Proofpoint, the use of malware loaders such as RockLoader paired with the usage of malicious Javascript files has allowed Locky to remain a top threat among email distributed ransomware.

Researchers at the firm recently observed a Locky distributor embarking on further efforts to make their ransomware more elusive and effective.

"These campaigns continue to demonstrate the trend of threat actors shifting delivery mechanisms and adding new layers of obfuscation and evasion to bypass security defences. In the example above, the initial payload was actually the RockLoader malware loader which then attempted to install Locky from a sophisticated command and control (C&C) architecture," researchers at Proofpoint said in a blog post.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

XOR obfuscation disguises the code of the malicious ransomware as something that makes looks like it was part of the original binary code.

"Last week, though, we observed one Locky actor (affiliate ID 1) begin using XOR obfuscation and reversing the bytes on the payloads to evade detection by network security tools," said the researchers.

This technique has been proven to be fast and effective, which has made it a popular choice among threat actors.

"While this type of obfuscation can be particularly effective against network security products that primarily scan executables entering the network, they can also be used for sandbox evasion," they said.

The researchers recommended that users have layered forms of security to counteract the techniques of Locky, especially since it is harder than ever to be detected.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020