Surge of email attacks using malicious WSF attachments

Surge of email attacks using malicious WSF attachments

Over the past three months, Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments. Ransomware attack groups in particular have been employing this new tactic.

WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.

Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer.

Figure 1. Example of recent Locky campaign using malicious WSF files within .zip attachments

These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.

Groups who spread malware through spam campaigns frequently change the format of the malicious attachments used. As security vendors improve their defenses against certain malicious file types, attack groups will switch to alternatives in the hope that more emails will slip through defenses.

In a constantly shifting threat landscape, organizations need to remain vigilant and aware that threats can come from new and unanticipated sources.

Tips on protecting yourself from 
  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been 
  • Always keep your security software up to date to protect yourself against any new variants of 
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by 
  • Delete any suspicious-looking emails you receive, especially if they contain links or 
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
    Blogger Comment
    Facebook Comment