Email-based attacks using malicious Windows Script File (WSF) attachments have surged in the past three months, according to security firm Symantec.
WSF files are designed to allow a mix of scripting languages in a single file, and are opened and run by the Windows Script Host (WSH). Files with the WSF extension are not automatically blocked by some email clients and can be launched like an executable file, hence their popularity with the propagators of malware.
Malicious WSF files have been used in a number of major spam campaigns recently to spread the Locky ransomware. Symantec said that it blocked more than 1.3 million emails with malicious WSF files bearing the subject line 'Travel Itinerary' on 3 and 4 October alone.
The emails purported to come from a major airline, but had an attachment that consisted of a WSF file in a zipped archive. Locky was installed on the victim's computer if the WSF file was allowed to run.
The campaign was followed by another spam run, but with emails bearing the subject line 'Complaint letter'. Symantec claimed to have blocked more than 918,000 of these malware-bearing spam emails.
"These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments," said Symantec in a blog post.
"From just over 22,000 in June, the figure shot up to more than two million in July. September was a record month, with more than 2.2 million emails blocked."
The firm added that groups that spread malware via spam campaigns, as opposed to using more sophisticated methods of propagating malware such as compromised advertising networks, frequently change the format of the malicious attachments in a bid to evade antivirus and anti-malware blocks.
"Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader)," Symantec said.
"In a constantly shifting threat landscape, organisations need to remain vigilant and aware that threats can come from new and unanticipated sources."
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere