Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Script Files Used to Deliver Locky Ransomware

A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.

A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.

Security firm Forcepoint reported in May that cybercriminals had started using WSF files to deliver the Cerber crypto-ransomware. Since the method can be highly efficient for evading detection, cybercriminals have also started using it to spread Locky.

WSF files, text documents that contain XML code, act as a container. Since they are not engine-specific, each file can contain more than one scripting language.

Researchers believe that the use of WSF files makes it more difficult to detect the threat as these types of files are not typically monitored by traditional endpoint security solutions. WSF files can increase the chances of bypassing sandboxes and blacklisting technologies.

“Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze,” Trend Micro researchers explained.

“Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult,” they added.

In the attacks observed by Trend Micro last month, cybercriminals appeared to be focusing on targeting companies. The WSF files that deliver Locky are compressed in ZIP archives and attached to emails with subject lines such as “annual report,” “bank account record” or “company database.”

Millions of these spam emails have been sent out, with the highest volumes recorded on weekdays between 9 AM and 11 AM UTC, the timeframe when most European employees begin their workday. The spam emails came from machines in Serbia, Colombia and Vietnam, and later from Thailand and Brazil.

Once it infects a computer, Locky checks the registry to determine the language set on the system and displays the ransom note in that language. This method has also been used by various other ransomware families, including Jigsaw, Cryptlock and Reveton.

The new Locky variant was spotted by researchers on an underground Brazilian cybercrime website, but it has also been openly advertised on Facebook.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.