Ransomware Alert: Zepto (Locky) Voice Message ZIP Attachment

We're blocking a huge "Zepto" (Locky variant) ransomware campaign with a ZIP file attached that claims to be a voice message. Do NOT download or open the attachment. It's a WSF (Windows Script File) that downloads and executes a DLL file, which infects your computer with the Zepto Locky ransomware variant.

What the Dangerous Email Looks Like

Today's campaign has minimal text, which offers fewer opportunities for the spammer to mess up, adding to its apparent legitimacy and increasing the chance people will click the attachment. Here's a redacted sample:

Subject: Voice Message from Outside Caller (3m 14s)


Voice Message Arrived on Friday, Aug 26 @ 8:33 AM
Name: Outside Caller
Number: Unavailable
Duration: 3m 14s
_________________
XXXXXXX.COM SV9100 InMail

Email Template Hints

To help you block it and likely variations, we've highlighted some patterns that hint at the template used to create it. The duration of the "voice message" in the subject and body is the same, but changes from one email to the next.

Subject

Voice Message from Outside Caller (Xm XXs)

Message Body

The last line of the message body includes the recipient's domain before the text "SV9100 InMail".

Voice Message Arrived on <weekday>, MMM DD @ hh:mm AM
Name: Outside Caller
Number: Unavailable
Duration: Xm XXs
_________________
<recipient domain> SV9100 InMail

Attachment

The attached (.zip) file is named with the pattern:

"Outside Caller mm-dd-yyyy <hex characters>.zip"

The zip file contains a javascript file named with the pattern:

"<mm-dd-yyyy random letters/numbers>.wsf"

How the Malware Infects Your System

The .wsf file downloads an encrypted DLL from compromised websites, decrypts it, and runs it using the built-in Windows program rundll32.exe, specifically calling the function named "qwerty":

Traditional Antispam / AntiVirus Can't Protect You

Traditional AV scanners were doing a little better with this one today than earlier in the week, but they still were not providing zero-hour protection. By around noon Eastern US time, VirusTotal was reporting that 9 out of 56 antivirus engines were recognizing the attached WSF file as malicious, and only 12/57 were detecting the Zepto DLL executable. SaaS antispam with professional live threat analysis like SpamStopsHere provides far better threat protection.

VirusTotal WSF File Detection VirusTotal DLL File Detection