Ransomware Alert: Zepto (Locky) Voice Message ZIP Attachment
We're blocking a huge "Zepto" (Locky variant) ransomware campaign with a ZIP file attached that claims to be a voice message. Do NOT download or open the attachment. It's a WSF (Windows Script File) that downloads and executes a DLL file, which infects your computer with the Zepto Locky ransomware variant.
What the Dangerous Email Looks Like
Today's campaign has minimal text, which offers fewer opportunities for the spammer to mess up, adding to its apparent legitimacy and increasing the chance people will click the attachment. Here's a redacted sample:
Subject: Voice Message from Outside Caller (3m 14s)
Voice Message Arrived on Friday, Aug 26 @ 8:33 AM
Name: Outside Caller
Number: Unavailable
Duration: 3m 14s
_________________
XXXXXXX.COM SV9100 InMail
Email Template Hints
To help you block it and likely variations, we've highlighted some patterns that hint at the template used to create it. The duration of the "voice message" in the subject and body is the same, but changes from one email to the next.
Subject
Voice Message from Outside Caller (Xm XXs)
Message Body
The last line of the message body includes the recipient's domain before the text "SV9100 InMail".
Voice Message Arrived on <weekday>, MMM DD @ hh:mm AM
Name: Outside Caller
Number: Unavailable
Duration: Xm XXs
_________________
<recipient domain> SV9100 InMail
Attachment
The attached (.zip) file is named with the pattern:
"Outside Caller mm-dd-yyyy <hex characters>.zip"
The zip file contains a javascript file named with the pattern:
"<mm-dd-yyyy random letters/numbers>.wsf"
How the Malware Infects Your System
The .wsf file downloads an encrypted DLL from compromised websites, decrypts it, and runs it using the built-in Windows program rundll32.exe, specifically calling the function named "qwerty":
Traditional Antispam / AntiVirus Can't Protect You
Traditional AV scanners were doing a little better with this one today than earlier in the week, but they still were not providing zero-hour protection. By around noon Eastern US time, VirusTotal was reporting that
VirusTotal WSF File Detection VirusTotal DLL File Detection