Email-based attacks using malicious Windows Script File (WSF) attachments have surged in the past three months, according to security firm Symantec.
WSF files are designed to allow a mix of scripting languages in a single file, and are opened and run by the Windows Script Host (WSH). Files with the WSF extension are not automatically blocked by some email clients and can be launched like an executable file, hence their popularity with the propagators of malware.
Malicious WSF files have been used in a number of major spam campaigns recently to spread the Locky ransomware. Symantec said that it blocked more than 1.3 million emails with malicious WSF files bearing the subject line 'Travel Itinerary' on 3 and 4 October alone.
The emails purported to come from a major airline, but had an attachment that consisted of a WSF file in a zipped archive. Locky was installed on the victim's computer if the WSF file was allowed to run.
The campaign was followed by another spam run, but with emails bearing the subject line 'Complaint letter'. Symantec claimed to have blocked more than 918,000 of these malware-bearing spam emails.
"These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments," said Symantec in a blog post.
"From just over 22,000 in June, the figure shot up to more than two million in July. September was a record month, with more than 2.2 million emails blocked."
The firm added that groups that spread malware via spam campaigns, as opposed to using more sophisticated methods of propagating malware such as compromised advertising networks, frequently change the format of the malicious attachments in a bid to evade antivirus and anti-malware blocks.
"Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader)," Symantec said.
"In a constantly shifting threat landscape, organisations need to remain vigilant and aware that threats can come from new and unanticipated sources."
Electronics and computer chain the latest high street retailer to fall into difficulties
Incisive Media and Investec Asset Management supported fundraiser crosses Atlantic in 40 days
Alphabet's health sciences division Verily have been messing with AI algorithms
North Korea's cyber attack capabilities are expanding fast - and turning their fire on a wider range of targets