Endpoint Protection

 View Only

Surge of email attacks using malicious WSF attachments 

Oct 12, 2016 09:05 PM

Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.

WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.

Millions of spam emails spreading Locky

Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer.

Figure 1. Example of recent Locky campaign using malicious WSF files within .zip attachments

Shortly afterwards, on October 5, the same attack group launched another massive malicious spam campaign with the subject line "complaint letter." Symantec blocked more than 918,000 of these emails. The email purported to come from someone representing a client who was making a complaint "regarding the data file you provided." Once again, the emails came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer.

Widescale shift towards malicious WSF attachments

These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than 2 million in July. September was a record month, with more than 2.2 million emails blocked.

Figure 2. Number of blocked emails containing malicious WSF attachments by month

Change of tactics

Groups who spread malware through spam campaigns frequently change the format of the malicious attachments used. As security vendors improve their defenses against certain malicious file types, attack groups will switch to alternatives in the hope that more emails will slip through defenses.

For example, Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader). Earlier this year, it moved to using malicious JavaScript attachments (JS.Downloader). It now appears to have shifted to using WSF files instead of pure JavaScript (also detected as JS.Downloader).

In a constantly shifting threat landscape, organizations need to remain vigilant and aware that threats can come from new and unanticipated sources.


A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud which can block email-borne threats and Symantec Endpoint Security which can block malware on the endpoint.

Symantec and Norton products protect against malicious WSF files with the following detections:


Intrusion prevention system:

Tips on protecting yourself from ransomware

  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.


0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.