Locky ransomware is back once again, this time being spread by a new exploit kit, based on the previously known Sundown. The new exploit kit is dubbed Bizarro Sundown and was first noticed on October 5 and then again on October 19, as reported by researchers at TrendMicro.
Apparently, the highest number of users infected by this campaign is currently found in Taiwan and Korea. The EK is a lot like its predecessor but with some improvements such as added anti-analysis features. Plus, the attack observed on October 19 altered its URL formal to imitate legitimate web advertisements. Researchers say that both versions were used in the ShadowGate/WordsJS campaign.
More about the ShadowGate campaign
First identified in 2015, the ShadowGate campaign targeted Revive and OpenX’s open-source advertising servers that have been locally installed. Once compromised, the servers act as gateways to the exploit kit for malware distribution. While the campaign was reportedly shut down in September this year, we found that it’s still alive and well, using 181 compromised sites to deliver ransomware.
TrendMicro observed ShadowGate in September deploying the Neutrino exploit kit to drop a variant of Locky (the .zepto extension). On October 5, the campaign switched to Bizarro Sundown. Two weeks later, on October 19, a modified version of Bizarro Sundown was detected.
A look into the latest attacks dropping Locky ransomware
There’s one particular interesting thing about these attacks and it’s that the number of infected machines drops to zero on weekends.
Researchers observed the ShadowGate campaign “closing their redirections and removing the malicious redirection script from the compromised server during weekends and resuming their malicious activities on workdays.”
Victims of the campaigns are users in Taiwan and South Korea but also in Germany, Italy, and China.
What vulnerabilities are leveraged in the attacks?
The vulnerabilities deployed in the successful attack scenarios are CVE-2016-0189, CVE-2015-5119, and CVE-2016-4117:
The first version of Bizarro Sundown targeted a memory corruption vulnerability in Internet Explorer (CVE-2016-0189, fixed in May 2016) and two security flaws in Flash: a use-after-free vulnerability (CVE-2015-5119) and an out-of-bound read bug (CVE-2016-4117). The first of these was fixed more than a year ago (July 2015), with the second patched earlier this year (May 2016).
Bizarro Sundown’s second version only used the two Flash exploits.
To avoid malware infections, make sure that your system is protected at all times!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter