Zepto spam campaign swells to 137,000 emails in four days

Cisco Talos researchers were surprised that spam email was used for ransomware
Cisco Talos researchers were surprised that spam email was used for ransomware

In keeping with the rising popularity of Locky/Zepto, a spam campaign distributing Zepto ransomware swelled from zero to 137,731 emails with malicious attachments using a new naming convention in just under four days, researchers at Cisco Talos observed.

“The surprise for us was the use of spam-email for ransomware,” Warren Mercer, the security researcher at Cisco Talos who penned a Thursday blog, told SCMagazine.com. “We continue to analyse the malware to determine if there is anything out of the ordinary or special about it.”

The naming convention for the campaign, which began June 27, is “swift [XXX|XXXX].js” with the X being a combination of letters and numbers the researchers have seen with both three and four characters strings after the name “swift.”

Analysing javascript samples, Talos was able to identify 3,305 unique samples that followed that naming convention and used a compressed .zip file with the malicious .js. The emails included a number of subject lines, including “report”, "financial report”, “new invoice” and “documents copy”. 

A message in the body of the email instructs users to look at the attached documentation, a .zip file named by a mashup of the name of the user the email is sent to plus an underscore followed by a random number.

Once the malicious javascript is executed, it launches HTTP GET requests, using “wscript.exe,” to defined C2 domains. The blog post noted differences in the samples at this point, “as some would initiate connectivity to a single domain, whilst others, would communicate with up to 9 domains,” they wrote.

After a binary is downloaded and executed, local files are encrypted and a ransom demand is issued. The user receives help screens “both from Internet Explorer for the .HTML file dropped by the malware, an image file presented with Windows Picture & Fax Viewer and also a background/wallpaper change to highlight you have been encrypted using this piece of malware”.

Mercer considers the campaign “to be a serious threat as there is no viable method of decrypting the information”.

The malware, he said, “specifically attempts to hold the end user at ransom for payment in Bitcoin. Depending on the files that are encrypted by this ransomware then the user could be in difficult circumstances if it were business related files, for example.”

While the campaign does not represent a new method of attack, it is gaining some traction, the researchers said. The uptick “could be due to Zepto trying out a new spam campaign to see how efficient it is as an attack vector for ransomware – generally speaking most ransomware is delivered via other vectors currently,” said Mercer.