Ransomware attack groups among the most frequent users of new tactic.
Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.
WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.
Millions of spam emails spreading Locky
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary.” The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.
Figure 1. Example of recent Locky campaign using malicious WSF files within .zip attachments
Shortly afterwards, on October 5, the same attack group launched another massive malicious spam campaign with the subject line “complaint letter.” Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.