Skip to Main Content

Freeriders phishing on the Locky express

The sudden emergence of Locky was a media feast: It included a fast-adapting ransomware, solid encryption, big-name victims, and a bit of paranoia over whether current security software was actually able to stop this threat.

It was a bad situation. Even worse, think about this from the perspective of an ambitious cybercriminal flogging and distributing some other, less effective malware: 1. You get jealous. 2. You look around at other options. 3. You rebrand your product so it includes those hot emotional triggers of FUD (Fear, Uncertainty, and Dread) along with a message from the Authorities that can calm a readers’ emotional anxiety.


The result is a phishing message that purportedly comes from the Bundeskriminalamt – The German criminal investigation police. And while the letter says it is providing a Locky removal kit, it actually provides a downloader to a Trojan banker malware. “They are just trying to use the paranoia after Locky to infect users with another malware,” says Oscar Anduiza, malware analyst at Avira.

Is there no code of honor among these thieves?

CaptureWhile the packaging of this email is quite timely, the malware itself is not unique. You could even say it is “known malware in a new wrapper,” he points out. Regardless of its new phishing appearance, Avira has been detecting it from the very beginning. Here is the icon of the fake tool.
Unlike Locky, this will not encrypt your files. But, it will try to do the following:

  • Steal stored website passwords from browsers: Internet Explorer, Google Chrome, Firefox or Opera.
  • Steal stored account information: Server names, port numbers, login information from FTP clients and cloud storage programs.
  • Send all of this information to a remote server.
  • Add multiple copies of itself to the computer:
    • c:\Users\%user%\AppData\Local\sysmon.exe (hidden file)
    • c:\Users\%user%\AppData\Roaming\sysmon.exe (hidden file)
    • c:\Users\%user%\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\WinUpdate.exe
  • Make a number of changes to the registry to remain running and conceal itself:
    • Registry key created to run when windows is started: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run – “System Monitor”=”C:\Users\%user%\AppData\Local\sysmon.exe”
    • Change registry value to hide files: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced – “Hidden” = “02”

So what can we learn from this situation:

  1. Cybercriminals are more trend conscious than a fashion model  – and they will have a knock-off version of a successful piece of malware on the market within days.
  2. Security really starts with you. Call it social engineering or common sense: When in doubt, don’t click.

This post is also available in: FrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.