Trojan downloaders on the rise: don’t let Locky or TeslaCrypt ruin your day
(Publication) Google search: [1]
Trojan downloaders on the rise: don’t let Locky or TeslaCrypt ruin your day | |
---|---|
Botnet | Nemucod, TeslaCrypt, Locky |
Malware | |
Botnet/malware group | Cryptolocker |
Exploit kits | |
Services | |
Feature | |
Distribution vector | Nemucod |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2016 / 2016-03-18 |
Editor/Conference | ESET Welivesecurity |
Link | http://www.welivesecurity.com/2016/03/18/trojan-downloaders-rise-dont-let-locky-teslacrypt-ruin-day/ (Archive copy) |
Author | Josep Albors |
Type | Blogpost |
Abstract
“ Win32/Filecoder.Locky.A is a ransomware variant that encrypts files with over 100 file types such as images, videos, databases, etc. on fixed, removable, and network drives. When executed, the ransomware copies itself into the following location: %temp%\svchost.exe and adds a registry entry in order to be executed on every system start.
The attack vector is a regular email message with an attachment (previous variants were using Word or Excel attachments containing malicious macros). This attachment comes with a Trojan Downloader, usually from the Family detected by ESET as JS/TrojanDownloader.Nemucod, among other variants. Once opened, this file contains a JavaScript (.js) file and when it’s executed it downloads and executes the payload, Locky in this case.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2016BFR4881, editor = {ESET Welivesecurity}, author = {Josep Albors}, title = {Trojan downloaders on the rise: don’t let Locky or TeslaCrypt ruin your day}, date = {18}, month = Mar, year = {2016}, howpublished = {\url{http://www.welivesecurity.com/2016/03/18/trojan-downloaders-rise-dont-let-locky-teslacrypt-ruin-day/}}, }