Email-based attacks using malicious Windows Script File (WSF) attachments have surged in the past three months, according to security firm Symantec.
WSF files are designed to allow a mix of scripting languages in a single file, and are opened and run by the Windows Script Host (WSH). Files with the WSF extension are not automatically blocked by some email clients and can be launched like an executable file, hence their popularity with the propagators of malware.
Malicious WSF files have been used in a number of major spam campaigns recently to spread the Locky ransomware. Symantec said that it blocked more than 1.3 million emails with malicious WSF files bearing the subject line 'Travel Itinerary' on 3 and 4 October alone.
The emails purported to come from a major airline, but had an attachment that consisted of a WSF file in a zipped archive. Locky was installed on the victim's computer if the WSF file was allowed to run.
The campaign was followed by another spam run, but with emails bearing the subject line 'Complaint letter'. Symantec claimed to have blocked more than 918,000 of these malware-bearing spam emails.
"These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments," said Symantec in a blog post.
"From just over 22,000 in June, the figure shot up to more than two million in July. September was a record month, with more than 2.2 million emails blocked."
The firm added that groups that spread malware via spam campaigns, as opposed to using more sophisticated methods of propagating malware such as compromised advertising networks, frequently change the format of the malicious attachments in a bid to evade antivirus and anti-malware blocks.
"Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader)," Symantec said.
"In a constantly shifting threat landscape, organisations need to remain vigilant and aware that threats can come from new and unanticipated sources."
And Apple IS working on virtual reality headset
Indian bank falls victim to suspected cyber attack from North Korea's Lazarus Group
Would you settle for door locks or invest in a burglar alarm too?
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications