Locky Actors Shift to .wsf Attachments

The criminals behind the notorious Locky malware spam campaigns have once again shifted tactics in an effort to circumvent anti-spam and anti-virus detection.

Locky malware campaigns are typically characterized by a zipped .js file attached to a spam email. Cloudmark has documented Locky and their distribution tactics previously on our blog and in detail in our most recent threat report.

In this recent development, the actors have switched to using obfuscated Windows Script Files (.wsf) inside a zip archive. The .wsf vector was discussed in the previous Cloudmark Quarterly Threat Report. Windows Script Files (.wsf) allow mixing of Jscript, VBScript, and other scripting languages within a single XML formatted file. By using this file format, the criminals are essentially able to repackage their existing JScript code into a .wsf container.

virulent_traffic_160715

Starting on July 13th the week’s Locky campaigns contained a zip file attachment with a name similar to the following:

fax_scan_doc_607810.zip
pdf_letter-uBM_196204.zip
sales_scan_letter_709050.zip

Here is a screenshot of one particular malicious email:

email2

The zip file contained a .wsf script file named similar to:

spreadsheet_ed9b..wsf
profile-f98c..wsf

See below for a screenshot of the contents of one particular zip file:

zip_contents

Note that in the above attack the zip file name contains part of the victim’s email address. This is a social engineering tactic used in an attempt to add legitimacy to the email.

The Windows Script File is a downloader which attempts to download and execute the second stage payload from one of several locations. The second stage of the attack is the Locky payload. The following Indicators of Compromise (IOCs) were extracted from one sample:

.wsf file:

md5: 6c74b21561632a82f6c5f5b3727902d8

Payload URIs:

hxxp://hiramteran.com/9av7cb
hxxp://theblackrock.net/e86ry
hxxp://237travellin.com/telo70


Leave a Reply

Your email address will not be published. Required fields are marked

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2017 Cloudmark, Inc.