Last week I was browsing Twitter when I found a tweet from Jaromir Horejsi about a spam mail with a Locky downloader that was personalized with his surname. It was the same day that I received a spam too, also with my surname in it. I’m always happy when this happens as it gives me an opportunity to go down the rabbit hole and check what’s hidden in there.
Tag: malware
Inside Locky’s downloader
After my last post I saw a lot of Locky related SPAM, so I decided to take a look at the downloader script that I skipped before. Almost all Locky downloader scripts that I have seen before arrived at the endpoint through a SPAM mail that usually contains a ZIP or RAR archive with a single JavaScript file that has a phishing name like swift_xxx.js or addition_xxx.js. I still find puzzling why people keep clicking on these files but it seems to be a very effective way of spreading this (and not only this) ransomware.
Locky is back
I received a nice spam mail today. Normally the anti-spam plugin on the mail server does a really nice job to filter these out but this one got through. As I had some spare time, I decided to check what’s going on. First look at the mail revealed that it is a malicious downloader. Naturally, I was curious about the payload, so I decided to investigate further.