Ransomware Alert: Zepto (Locky) Voice Message ZIP Attachment

What the Dangerous Email Looks Like

Today's campaign has minimal text, which offers fewer opportunities for the spammer to mess up, adding to its apparent legitimacy and increasing the chance people will click the attachment. Here's a redacted sample:

Email Template Hints

To help you block it and likely variations, we've highlighted some patterns that hint at the template used to create it. The duration of the "voice message" in the subject and body is the same, but changes from one email to the next.

Subject

Message Body

The last line of the message body includes the recipient's domain before the text "SV9100 InMail".

Attachment

The attached (.zip) file is named with the pattern:

"Outside Caller mm-dd-yyyy <hex characters>.zip"

The zip file contains a javascript file named with the pattern:

"<mm-dd-yyyy random letters/numbers>.wsf"

How the Malware Infects Your System

The .wsf file downloads an encrypted DLL from compromised websites, decrypts it, and runs it using the built-in Windows program rundll32.exe, specifically calling the function named "qwerty":

Traditional Antispam / AntiVirus Can't Protect You

Traditional AV scanners were doing a little better with this one today than earlier in the week, but they still were not providing zero-hour protection. By around noon Eastern US time, VirusTotal was reporting that 9 out of 56 antivirus engines were recognizing the attached WSF file as malicious, and only 12/57 were detecting the Zepto DLL executable. SaaS antispam with professional live threat analysis like SpamStopsHere provides far better threat protection.

VirusTotal WSF File Detection VirusTotal DLL File Detection