Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.
WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.
Millions of spam emails spreading Locky
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary.” The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.
Figure 1. Example of recent Locky campaign using malicious WSF files within .zip attachments
Shortly afterwards, on October 5, the same attack group launched another massive malicious spam campaign with the subject line “complaint letter.” Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.
Widescale shift towards malicious WSF attachments
These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.
Figure 2. Number of blocked emails containing malicious WSF attachments by month
Change of tactics
Groups who spread malware through spam campaigns frequently change the format of the malicious attachments used. As security vendors improve their defenses against certain malicious file types, attack groups will switch to alternatives in the hope that more emails will slip through defenses.
For example, Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader). Earlier this year, it moved to using malicious JavaScript attachments (JS.Downloader). It now appears to have shifted to using WSF files instead of pure JavaScript (also detected as JS.Downloader).
In a constantly shifting threat landscape, organizations need to remain vigilant and aware that threats can come from new and unanticipated sources.
Protection
A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud which can block email-borne threats and Symantec Endpoint Security which can block malware on the endpoint.
Source:https://www.symantec.com/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
