Locky Actors Shift to .wsf Attachments

The criminals behind the notorious Locky malware spam campaigns have once again shifted tactics in an effort to circumvent anti-spam and anti-virus detection. Locky malware campaigns are typically characterized by a zipped .js file attached to a spam email. Cloudmark has documented Locky and their distribution tactics previously on our blog and in detail in our most recent threat report. In this recent development, the actors have switched to using obfuscated Windows Script Files (.wsf) inside a zip archive. The .wsf vector was discussed in the previous Cloudmark Quarterly Threat Report. Windows Script Files (.wsf) allow mixing of Jscript, VBScript, and other scripting languages within a single XML formatted file. By using this file format, the criminals are essentially able to repackage their existing JScript code into a .wsf container.

Starting on July 13th the week’s Locky campaigns contained a zip file attachment with a name similar to the following: fax_scan_doc_607810.zip pdf_letter-uBM_196204.zip sales_scan_letter_709050.zip Here is a screenshot of one particular malicious email:

The zip file contained a .wsf script file named similar to: spreadsheet_ed9b..wsf profile-f98c..wsf See below for a screenshot of the contents of one particular zip file:

Note that in the above attack the zip file name contains part of the victim’s email address. This is a social engineering tactic used in an attempt to add legitimacy to the email. The Windows Script File is a downloader which attempts to download and execute the second stage payload from one of several locations. The second stage of the attack is the Locky payload. The following Indicators of Compromise (IOCs) were extracted from one sample: .wsf file: md5: 6c74b21561632a82f6c5f5b3727902d8 Payload URIs: hxxp://hiramteran.com/9av7cb hxxp://theblackrock.net/e86ry hxxp://237travellin.com/telo70