SYMANTEC Corp. said it has seen a major increase in the number of e-mail-based attacks using malicious Windows Script File (WSF) attachments over the past three months.
“Ransomware groups, in particular, have been employing this new tactic,” Symantec said in a statement. The company said it has, in the past two weeks, blocked a number of major campaigns distributing Locky (Ransom.Locky), which involved malicious WSF files.
WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the “.wsf” extension are not automatically blocked by some email clients and can be launched like an executable file.
According to Symantec, malicious WSF files have been used in a number of recent major spam campaigns spreading Locky.
Symantec said that between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line “Travel Itinerary.” The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a “.zip” archive. If the WSF file was allowed to run, Locky was installed on the victim’s computer.
Shortly afterward, on October 5, the same attack group launched another massive malicious spam campaign with the subject line “complaint letter.” Symantec blocked more than 918,000 of these emails. The e-mail purported to come from someone representing a client who was making a complaint “regarding the data file you provided.” Once again, the e-mails came with an attachment that consisted of a WSF file within a “.zip” archive.
If the WSF file was allowed to run, Locky was installed on the victim’s computer.
Widescale shift toward malicious WSF attachments
These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of e-mails being blocked containing malicious WSF attachments.
From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million e-mails blocked.