Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Locky Distributors Switch to Word Macro and then WSF Files

Locky Ransomware continues to be distributed in large numbers, however, the email attachments have been changed, probably due to greater blocking of the JavaScript files that have been favored until now.

The Locky attack begins with an email attachment that downloads the actual Locky ransomware. Last week, the Downloader component was switched to Word documents with embedded macros (.docm extension).

Embedded Macro

This week, for the first time, Locky downloaders are using the WSF file format. A Windows Script File (WSF) allows mixing the scripting languages JScript and VBScript within a single file. We speculate that .wsf files are currently not blocked by default in most email security systems and this has motivated the switch. The attachment still arrives zipped, and in this example is supposedly a “reference letter”:

Reference Letter

The randomly named .wsf file is somewhat larger than the equivalent JavaScript files previously used.

WSF File

A cursory analysis shows that the .wsf file is simply a JavaScript file with <job> </job> wrapped around it.

<job><script language=”JScript”>… …</script></job>

The docm and wsf variants are all detected and blocked by CYREN.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...