Locky JS and URL Revealer

From various reports, it appears that the malicious Javascript files sent via email that pull Locky down is back.

Let's see what these scripts look like:

At the bottom of the script, is this function that reverses the string above, joins the characters, then evaluates it:

eval(aBN3DmdER7P.split('').reverse().join(''));

Since we're dealing with JScript, we can just do this and capture the result instead of executing it:

WScript.Echo(aBN3DmdER7P.split('').reverse().join(''));

Now we get this:

This script employs a lot of nonsense functions that just returns exactly what gets sent to it in an attempt to make it harder to figure out what's going on.

After I beautify the script and scan through everything, I come across the main function that downloads a file from the Internet. It's using the familiar AJAX method.

I echo out the URL array to see where the requests are going. There's three URLs it's attempting to connect to. If the site is up then Locky gets downloaded and executed.

This round of scripts are similar to the ones that were sent before the Locky gang took a break. If you've been tracking their scripts, you know they make a lot of changes to bypass filters but they are essentially all AJAX downloaders.

Instead of trying to keep up with their constant script variations, why not use a web proxy I thought? You just run the script in a VM and catch the URLs being called. There's Fiddler, Paros, Burp, etc I could use but I thought I would try to make something more lightweight and portable.

URL Revealer

Here's my take on a web proxy. This program will capture the request from these scripts and drop it so it won't download the malware from the Internet. This way you can see the URLs and take the necessary action quickly, without having to deobfuscate the script.

When you run URL Revealer (in a VM!), it will automatically set up a proxy server on port 8080 and write the captured URLs to a text file on the desktop. You should open up your browser and test it to make sure it's working properly before executing the script you want to analyze. You should set your VM's network adapter to "host-only" while doing this to be safe.

Here's what it looks like when you run four recent Locky scripts plus two from the past two weeks:

I killed the wscript process in between runs otherwise the script would just keep going. URL Revealer will ignore repeated hits to the same URL as long as it's exactly the same as the one before.

When you are done, press to quit so that URL Revealer can disable the proxy server. If you forget, just run URL Revealer and hit enter a couple of times until it quits.

If you run the program from an elevated command line, you can change the proxy port as well as the capture filename.

Over the past several months, I saw four methods used by various scripts to download malware from the Internet - ajax, winhttp, bitsadmin, and powershell. URL Revealer should detect and block the requests for all of these methods. If you encounter a new method, please let me know.

Posted on: 06/22/2016