The malware writers behind the Locky and Zepto ransomware projects proved once again that they are working all the time not only to infect more and more users and remain on top of the ransomware chart, but they are also working the infection procedure itself to make those attacks even more successful – using .DLL file injection.
This way, these cyber-criminals have improved the infection methods is that they focused on a very important “bottleneck” – the types of files that are used to conduct the encryption and the dropping of the malicious encryption and other support modules of the ransomware.
Why The New Infection Method?
The hacking team behind Locky and Zepto who remain unknown and wanted so far have previously used different spreading methods, like JavaScript (.JS) files, also known as “fileless” ransomware and also malicious executables and exploit kits directly attached on e-mails and malicious URLs. This has resulted in high success of infections because those files were well obfuscated and spread massively.
Related Article: Locky, Dridex Botnet Has Also Delivered TeslaCrypt(More information about the Locky spam infections)
However, unlike the previously used executables, the hackers behind Locky ransomware have once yet made a change creating the possibility to run a .dll file via the process rundll32.exe. Since most antivirus products do not detect suspicious activities because they tend to set this process as a legitimate one and skip scanning it for malicious activities, the systems become infected with either Zepto or Locky, still encrypting files of victims.
How Does A DLL Infection Work?
To understand how this infection process works, we need to dissect what the rundll32.exe process exactly performs.
Originally the rundll32.exe is an application that is used to run the so-called Dynamic Link Library (DLL) files, because they have no way of being executed directly. This is one way and most likely the technique Locky or Zepto may use to successfully infect the computer of the victim. However, sometimes anti-malware programs catch suspicious activity and this is why, the virus uses the so-called process obfuscation, making the DLL file to skip the latest antivirus definitions. Such obfuscators also known as file cryptors are very expensive and their ability to remain unnoticed vanishes extremely fast, because most antivirus programs become updated very often.
Locky and Zepto Continue Their Campaigns Even More Vigorously
Locky and Zepto ransomware are one of the biggest names in the ransomware world. The usage of those viruses suggests that the team behind them have spent a lot of time to keep those viruses alive and have a lot of experience in this field as well. One indicator for this is that the viruses are still infecting users and most ransomware viruses usually end their lifecycle after brief periods of time. However, the ever-changing infection methods (JavaScript, Malicious Executables, Remote Bruteforcing) suggest that Locky and Zepto are here to stay and keep making money at the expense of users.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me: