Symantec observed a surge of spam emails using malicious WSF files

Pierluigi Paganini October 16, 2016

Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments.

Experts from Symantec are observing a significant increase in the number of email-based attacks leveraging malicious Windows Script File (WSF) attachments.  Over the past three months, threat actors have adopted the tactic in the wild, mostly criminal organizations behind ransomware campaign.

“In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.” reads a blog post from Symantec.

A Windows Script File (WSF) is a file type that allows mixing the scripting languages, such as Pyton, JScript and VBScript within a single file.

WSF files are opened and executed by the Windows Script Host (WSH), they can be launched like a common executable file.

Symantec highlighted that .wsf files are not automatically blocked by some email clients. Threat actors used malicious Windows Script File files in a number of recent major spam campaigns spreading ransomware link Locky.

Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary” between October 3 and 4. In this campaign, hackers leveraged on malicious emails purported to come from a major airline that came with Windows Script File file within a .zip archive.

Symantec added that on October 5, the same threat actor launched a new massive spam campaign with the subject line “complaint letter.”

“Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.” added Symantec.

Experts from Symantec believe that the used of .WSF file is a broader trend, the number of emails being blocked containing this kind of malicious attachments is increased in the last months as reported in the following graph.

“From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.” reads the post from Symantec.

wsf-files-malware-spama Threat actors in the wild often adopt new tactics frequently changing the format of the malicious attachments for their campaigns to avoid detection.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cybercrime, spam)



you might also like

leave a comment