Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


DLL Files Now Used to Infect With Locky and Zepto Ransowmare

locky-zepto-dll-infection-sensorstechforumThe malware writers behind the Locky and Zepto ransomware projects proved once again that they are working all the time not only to infect more and more users and remain on top of the ransomware chart, but they are also working the infection procedure itself to make those attacks even more successful – using .DLL file injection.

This way, these cyber-criminals have improved the infection methods is that they focused on a very important “bottleneck” – the types of files that are used to conduct the encryption and the dropping of the malicious encryption and other support modules of the ransomware.

Why The New Infection Method?

The hacking team behind Locky and Zepto who remain unknown and wanted so far have previously used different spreading methods, like JavaScript (.JS) files, also known as “fileless” ransomware and also malicious executables and exploit kits directly attached on e-mails and malicious URLs. This has resulted in high success of infections because those files were well obfuscated and spread massively.

Related Article: Locky, Dridex Botnet Has Also Delivered TeslaCrypt(More information about the Locky spam infections)

However, unlike the previously used executables, the hackers behind Locky ransomware have once yet made a change creating the possibility to run a .dll file via the process rundll32.exe. Since most antivirus products do not detect suspicious activities because they tend to set this process as a legitimate one and skip scanning it for malicious activities, the systems become infected with either Zepto or Locky, still encrypting files of victims.

How Does A DLL Infection Work?

To understand how this infection process works, we need to dissect what the rundll32.exe process exactly performs.

Originally the rundll32.exe is an application that is used to run the so-called Dynamic Link Library (DLL) files, because they have no way of being executed directly. This is one way and most likely the technique Locky or Zepto may use to successfully infect the computer of the victim. However, sometimes anti-malware programs catch suspicious activity and this is why, the virus uses the so-called process obfuscation, making the DLL file to skip the latest antivirus definitions. Such obfuscators also known as file cryptors are very expensive and their ability to remain unnoticed vanishes extremely fast, because most antivirus programs become updated very often.

Locky and Zepto Continue Their Campaigns Even More Vigorously

Locky and Zepto ransomware are one of the biggest names in the ransomware world. The usage of those viruses suggests that the team behind them have spent a lot of time to keep those viruses alive and have a lot of experience in this field as well. One indicator for this is that the viruses are still infecting users and most ransomware viruses usually end their lifecycle after brief periods of time. However, the ever-changing infection methods (JavaScript, Malicious Executables, Remote Bruteforcing) suggest that Locky and Zepto are here to stay and keep making money at the expense of users.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.