​Locky ransomware spreads with macro-enabled .docm Word docs

Caption: Don't open attachments with subject headers like these

Credit: FireEye

Caption: Don't open attachments with subject headers like these

Credit: FireEye

The operators of the Locky file-encrypting ransomware have switched tactics for a new wave of nasty spam in August.

Three months ago computers were hit by a barrage of email spam bearing malicious JavaScript attachments. The malicious attachments were usually hidden within .zip archive files that once opened unloaded Locky ransomware on victims.

Prior to using JavaScript to download and execute Locky, the ransomware network used a malicious macro in a .doc Word document to land an infection. Typically the recipient of the email had to be tricked into enabling macros in Word or .doc file extension. Once macros were enabled, the malicious macro would download an executable file, namely Locky, and start to encrypt files.

Bleeping Computer reported at the time that Locky-loaded spam usually contained bogus invoice attachments that if opened would display gibberish below instructions to “enable macro if the data encoding is incorrect”.

The latest Locky tactic is the use of DOCM format attachments, according to researchers at FireEye. The .docm extension refers to a Macro-enabled Word document, which Microsoft introduced alongside the more familiar .docx extension in Office 2007.

According to FireEye, at the beginning of August Locky’s operators dropped their JavaScript downloads and dialled up three “massive” waves of spam on the 9th, 11th, and 15th of August using malicious .docm attachments.

The spam was directed at recipients across the world, but by far the most affected nation was the US, which accounted for half of the malicious attachments detected by FireEye. It was followed by several Asia Pacific nations, including Japan, Korea, Thailand, Singapore, Hong Kong, and Malaysia. Australia was 12th on FireEye’s list of affect nations.

Industry-wise, FireEye says healthcare was the heaviest hit by the three waves of spam containing Locky ransomware.

Spam dated August 9 includes a “Documents Requested” subject field with an attachment titled “Untitled(354).docm". A second sample from August 11 had the subject header “New Doc 41-62” with an attachment “New Doc 41-62.docm”. A third on 15 August was titled “Emailing - 1050742880188” with the attachment’s title containing only the number, and a message that “Vicky has asked me to forward you the finance documents (Please see attached)”.

Several other security firms have in the past two months reported spam with similar characteristics leading to Locky ransomware.

TrendMicro found .docm attachments in a spam campaign from 2014 that was used to spread the banking malware Zbot or Zeus. Recipients had to enable macros to become infected. TrendMicro noted that .DOCM files were an uncommon infection vector since it was still a relatively new format.

Tags emailjavascriptZeus botnetMacrosencrypted filesLocky ransomwareTrendMircromacro-enabledmalicious macrosZbot

Show Comments