Email-based attacks using malicious Windows Script File (WSF) attachments have surged in the past three months, according to security firm Symantec.
WSF files are designed to allow a mix of scripting languages in a single file, and are opened and run by the Windows Script Host (WSH). Files with the WSF extension are not automatically blocked by some email clients and can be launched like an executable file, hence their popularity with the propagators of malware.
Malicious WSF files have been used in a number of major spam campaigns recently to spread the Locky ransomware. Symantec said that it blocked more than 1.3 million emails with malicious WSF files bearing the subject line 'Travel Itinerary' on 3 and 4 October alone.
The emails purported to come from a major airline, but had an attachment that consisted of a WSF file in a zipped archive. Locky was installed on the victim's computer if the WSF file was allowed to run.
The campaign was followed by another spam run, but with emails bearing the subject line 'Complaint letter'. Symantec claimed to have blocked more than 918,000 of these malware-bearing spam emails.
"These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments," said Symantec in a blog post.
"From just over 22,000 in June, the figure shot up to more than two million in July. September was a record month, with more than 2.2 million emails blocked."
The firm added that groups that spread malware via spam campaigns, as opposed to using more sophisticated methods of propagating malware such as compromised advertising networks, frequently change the format of the malicious attachments in a bid to evade antivirus and anti-malware blocks.
"Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader)," Symantec said.
"In a constantly shifting threat landscape, organisations need to remain vigilant and aware that threats can come from new and unanticipated sources."
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago