"Statement" Email Attachment Installs Zepto Ransomware

We're blocking a ransomware email campaign that claims to be a "financial statement" in an attached zip file. Do NOT click on or open the attachment. It's a JS (javascript) file that downloads and executes a DLL that infects your system with Zepto, a Locky ransomware variant.

What the Dangerous Email Looks Like

Today's campaign looks pretty spammy compared to some others we've seen recently. Here's a partially redacted sample:

Subject: Statement

Hi,
The monthly financial statement is attached within the email. Please review it before processing.
King regards,
xxxxx xxxxx

(Topic-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)

The text itself has some pretty clear indicators of spam that should set of alarms. For example, the subject line is very short, there is no recipient name (not even a generic "Dear Customer"), nothing describes what's in the "financial statement" or what it's for, and there's a big typo ("King regards").

Email Template Hints

To help you block it and likely variations, we've highlighted some patterns that hint at the template used to create it.

Message Body

Hi,
The monthly financial statement is attached within the email. Please review it before processing.
King regards,
<first/last name>

(Topic-ID: <56 hexadecimal characters>)

Attachment

The attached (.zip) file is named with the pattern:

"<10-12 hexadecimal characters>.zip"

The zip file contains a javascript file named with the pattern:

"monthly_financial_scan <8 hexadecimal characters>.js"

How the Malware Infects Your System

The javascript file attached to the email downloads an encrypted DLL from compromised websites, decrypts it, and runs it using the built-in Windows program rundll32.exe, specifically calling the function named "qwerty" with the argument "323".

Traditional Antispam / AntiVirus Can't Protect You

As with most malware today, traditional antivirus and installed antispam programs would be virtually useless to protect against this attack. More than 3 hours after it began, VirusTotal was reporting that only 3 out of 56 antivirus engines were recognizing the attached javascript file as malicious, and only 6/54 were detecting the Zepto DLL executable. SaaS antispam with professional live threat analysis like SpamStopsHere provides far better threat protection.

VirusTotal JS File Detection VirusTotal DLL File Detection

Why can't traditional antivirus protect me?