Shulou(Shulou.com)06/02 Report--

This article will explain in detail what is the use of PyLocky for you. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

There is no doubt that blackmail software still plays a very important role in the current field of cyber threats. In fact, the activity of ransomware increased in the first half of 2018, and the ransomware tried to avoid existing security solutions through various upgrades, such as PyLocky (trend Technology marked it as RANSOM_PYLOCKY.A) is a good example.

In late July and throughout August, researchers found an attack to spread PyLocky ransomware through spam. Although PyLocky's extortion message style is very similar to that of Locky, PyLocky has nothing to do with Locky. PyLocky is written in Python and encapsulated in PyInstaller. In fact, ransomware developed with Python is nothing new, such as CryPy (RANSOM_CRYPY.A) in 2016 and Pyl33t (RANSOM_CRYPPYT.A) in 2017, but PyLocky has the ability to resist machine learning, which is one of its "bright spots". It uses both Inno Setup Installer (an open source script-based installer) and PyInstaller, which makes it more difficult to detect static analysis methods, including machine learning-based solutions.

It should be noted that the distribution of PyLocky is also relatively concentrated, and we find that this activity is mainly aimed at users in Europe, especially in France.

Infection chain

On Aug. 2, we detected a wave of PyLocky attacks against French companies, in which attackers used invoice-themed spam to lure target users into blackmail. In emails, attackers use social engineering techniques to induce users to click on malicious links, which redirect users to malicious URL that contains PyLocky ransomware.

A malicious URL points to a ZIP file (Facture_23100.31.07.2018.zip) that contains a signed executable file (Facture_23100.31.07.2018.exe). Upon successful operation, Facture_23100.31.07.2018.exe infects the target host with malicious components (some C++ files, Python libraries, and Python 2.7 core dynamic link library DLL), as well as the main blackmail programs (lockyfud.exe, created through PyInstaller and stored in C:\ Users\ {user}\ AppData\ Local\ Temp\ is- {random} .tmp).

PyLocky can encrypt pictures, videos, documents, audio, programs, games, database files, compressed documents, and so on. Here are the file types that can be encrypted by PyLocky:

.dat, .keychain, .sdf, .vcf, .jpg, .png, .tiff, .gif, .jpeg, .jif, .jp2, .jpx, .j2k, .j2c, .fpx, .pcd, .bmp, .svg, .3 dm, .3ds, .max, .obj, .dds, .psd, .tga, .thm, .tif, .yuv, .ai, .eps, .ps, .svg, .indd, .pct .mp4, .avi, .mkv, .3g2, .3gp, .asf, .flv, .m4v, .mov, .mpg, .rm, .srt, .swf, .vob, .wmv, .doc, .docx, .txt, .pdf, .log, .msg, .odt, .pages., .rtf, .tex, .wpd, .wps, .csv, .ged, .key, .pps, .ppt., .pptx .xml, .json, .xlsx, .xlsm, .xlsb, .xls, .mht, .mhtml, .htm, .html, .xltx, .prn, .dif, .slk, .xlam, .xla, .ods, .docm, .dotx, .dotm, .xps, .ics, .mp3., .aif, .iff, .m3u, .m4a, .mid,. Mpa, .wav, .wma, .msi, .php .apk, .app, .bat, .cgi, .com, .asp, .aspx, .cer, .cfm, .css, .js, .jsp, .rss, .xhtml, .c, .class, .cpp, .cs, .h, .java, .lua, .pl, .py, .sh, .sln, .swift, .vb, .vcxproj, .dem, .gam, .nes, .rom, .sav .tgz, .zip, .rar, .tar, .7z, .cbr, .deb, .gz, .pkg, .rpm, .zipx, .iso, .ged, .accdb, .db, .dbf, .mdb, .sql, .fnt, .fon, .otf, .ttf, .cfg, .ini, .prf, .bak, .old, .tmp, .torrent

Encryption program

The file types that PyLocky supports encryption are hard-coded in the configuration file, and the Windows Management Specification (WMI) is used to collect system information for infected devices. If the amount of visible memory of the infected system is less than 4GB, PyLocky can also avoid the sandboxie environment by dormant for 999999 seconds. If the memory size is greater than or equal to 4GB, PyLocky will directly execute the file encryption program.

After the encryption is complete, PyLocky will establish a communication connection with the remote command control server. PyLocky uses the PyCrypto library for encryption, which uses the 3DES encryption algorithm. PyLocky first enumerates the logical drives and generates a list of files before calling the 'efile' method, which overwrites the original file contents with the encrypted file contents and then sends a blackmail message.

PyLocky's extortion information is written in English, French, Korean and Italian, suggesting that users in South Korea and Italy may also be affected.

Intrusion threat indicator IoC

RANSOM_PYLOCKY.A (SHA-256):

C9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa1569f6fd28c666241902a19b205ee8223d47cccdd08c92fc35e867c487ebc999

Related hash (SHA-256):

E172e4fa621845080893d72ecd0735f9a425a0c7775c7bc95c094ddf73d1f844 (Facture_23100.31.07.2018.zip) 2a244721ff221172edb788715d11008f0ab50ad946592f355ba16ce97a23e055 (Facture_23100.31.07.2018.exe) 87aadc95a8c9740f14b401bd6d7cc5ce2e2b9beec750f32d1d9c858bc101dffa (facture_31254872_18.08.23_ {numbers} .exe)

Related malicious URL:

Hxxps://centredentairenantes [.] fr (ClearC server) hxxps://panicpc [.] fr/client [.] php?fac=676171&u=0000EFC90103hxxps://savigneuxcom [.] securesitefr [.] com/client.php?fac=001838274191030 on "what's the use of PyLocky?" this article ends here. I hope the above content can be of some help to you, so that you can learn more knowledge. If you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.