14 DAY TRIAL // Multiple security firms are reporting on a gigantic wave of spam email that delivers malicious JavaScript file attachments, laced with downloaders for the Locky ransomware.
Until now, two different companies have reported on this event, ESET and Proofpoint, with the latter even going as far as to call it one of the biggest spam floods in recent years.
The particularity of this campaign resides in the fact that all the malicious emails distribute a ZIP archive that, when downloaded and unzipped, presents the user with a JavaScript file instead of an EXE. Because of this novel approach, most users double-click the file, and the malicious JavaScript code is executed automatically via the Windows Script Host (WSH) service.
This code generally downloads and then launches malware into execution. For this particular campaign, the criminals' favorite payload is the Locky ransomware. This ransomware variant appeared at the start of the year and has known ties to the Dridex botnet.
In previous spam distribution campaigns, JS-based malicious email attachments also delivered banking trojans and ransomware variants like TeslaCrypt and CryptoWall.
Spam wave hits Europe the hardest
For this most recent campaign, Proofpoint says it saw an uptick of email spam originating from Indian and Vietnamese IPs. ESET explains the wave was aimed at European countries, but crooks didn't deliver Locky directly but used the JS/Danger.ScriptAttachment malware dropper as a second intermediary.
Proofpoint also made a discovery yesterday, revealing Locky started using a weak encryption algorithm (XOR) to mask the malicious JavaScript code, in order to prevent easy detection by AV engines.
On the other hand, the Comodo Threat Research Labs (CTRL) also detected a Locky surge that used the disguise of Amazon shipping notices to spread the ransomware, but in this case, the crooks used Office documents with malicious macros, and not JavaScript.
