Surge of email attacks using malicious WSF attachments

Share this…

Ransomware attack groups among the most frequent users of new tactic.

Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.

WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.

Millions of spam emails spreading Locky

Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary.” The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.

Figure 1. Example of recent Locky campaign using malicious WSF files within .zip attachments

Shortly afterwards, on October 5, the same attack group launched another massive malicious spam campaign with the subject line “complaint letter.” Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.

Widescale shift towards malicious WSF attachments

These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.

Figure 2. Number of blocked emails containing malicious WSF attachments by month

Change of tactics

Groups who spread malware through spam campaigns frequently change the format of the malicious attachments used. As security vendors improve their defenses against certain malicious file types, attack groups will switch to alternatives in the hope that more emails will slip through defenses.

For example, Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader). Earlier this year, it moved to using malicious JavaScript attachments (JS.Downloader). It now appears to have shifted to using WSF files instead of pure JavaScript (also detected as JS.Downloader).

In a constantly shifting threat landscape, organizations need to remain vigilant and aware that threats can come from new and unanticipated sources.


A full protection stack helps to defend against these attacks, including Symantec Email which can block email-borne threats and Symantec Endpoint Security which can block malware on the endpoint.