WSF attachments are the latest malware delivery vehicle

Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via unsolicited emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software.

Number of blocked emails containing malicious WSF attachments by month

According to Symantec, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email.

Why WSF attachments?

“WSF files are designed to allow a mix of scripting languages within a single file,” the researchers explain. “They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.”

Add to this the fact that most users have never heard about WSF files and their interest is easily piqued, and you have a great malware delivery vehicle.

According to the analysis of spam campaigns blocked by the company, the files come packed into .ZIP archives, attached in a wide variety of bogus emails (complaint letters, deliveries of travel itineraries, etc.).

Ransomware groups in particular have been employing this new tactic, and Locky is the malware that most users who fall for the trick are saddled with.

What to do?

Since time immemorial (or so it seems), email has been a means for attackers to gain access to accounts, endpoints, and networks.

Spear-phishing emails, laden with malware, malicious links, or false information continue to pass through defenses despite our best efforts, because attackers constantly change tack to find cracks in them.

“In a constantly shifting threat landscape, organizations need to remain vigilant and aware that threats can come from new and unanticipated sources,” the researchers note.

Users, on the other hand, must learn that any attachment or link that has been sent to them without being requested is a potential danger, and be extremely wary of opening them.