Spam campaigns distributing the Jaff ransomware have evolved and are using multiple decoy files hidden inside malicious PDF attachments, Trustwave security researchers say.
Jaff is a new ransomware family that emerged in early May, and has been distributed through the infamous Necurs spam botnet. After fueling a surge in malicious spam last year, Necurs went dark in December 2016, only to return in April 2017.
The Locky ransomware, historically associated with spam emails distributed by the Necurs botnet, went silent in December as well, and made only a brief return in April. As of early May, Necurs switched to distributing the Jaff ransomware and continues to do so.
The reason for this appears to be simple: Jaff was supposedly developed by the same group behind Locky and Dridex, considering the use of resources previously associated with these threats. The first Jaff variant even used a ransom note similar to Locky’s, but the second variant adopted a redesigned one, along with few other changes.
The distribution campaign uses PDF files attached to the spam emails, but with Word documents hidden inside. The email subject ranges from fake invoice notifications to fake payment receipts, and from alleged image scans to random file copies.
The ultimate goal remains the same: the Word document inside the PDF file is meant to download and drop a malware executable. According to Trustwave, however, the PDF campaigns have been evolving almost daily, with a larger number of embedded files discovered inside recent attachments and with additional layers of obfuscation.
“These additional files do nothing, and are probably just decoys. But the main .docm file, with its malicious macro, still acts as the malware downloader,” Trustwave’s Homer Pacag explains.
The PDF file contains an exportDataObject Launch instruction to drop and launch the embedded .docm file. When enabled, the Word document’s vbaProject macro component starts downloading the Jaff ransomware from a specific URL.
Over the past week or so, the Jaff variant being delivered via Necurs appends the .wlu extension to the encrypted files (the initial variant was using the .jaff extension). However, it continues to use the same URL to guide victims to where they can recover their encrypted files.
Related: New Jaff Ransomware Variant Emerges
