Ransomware is very popular these days with many different variants constantly popping up. One of the more recent high impact versions is known as Zepto. We see many different file types abused in these malware campaigns – things like macro enabled word documents, .js script files, .wsf windows script files and so on. This morning though we had a campaign coming in using the lesser known .hta file format. This format is essentially an HTML file that uses some sort of browser supported scripting in it. While we have seen this filetype used before in malware campaigns in the past, it’s not one we frequently see used.

The emails in question were pretty boring, lacking anything really other than an attached zip file. Doing something like this may offer attackers a few benefits in a broad campaign, such as having no body content to try and filter as well as not having to come up with some story about why the victim should open it. Curiosity of what’s in the file may drive many people to opening and running the malicious attachment without the attacker even having to ask.

blankemailmalwarezeptohtaThe .hta file contents are written in an obfuscated javascript fashion that we’re so used to seeing these days with the .js and .wsf malware. This obfuscation makes the code very confusing and pretty much unreadable to a human, however the code is still valid and will execute without a problem on the target system.


So once you run the malware, it does what you expect and starts encrypting files. It has a remote command server it uses to download the actual payload once the hta script runs, as well as a server it POSTs data to. In testing this, one of the first files it encrypted was the Outlook PST file. Since it used email as the attack vector, this may be a way to try and lock users out of the source of the malware for any investigating someone may do, as well as the broader picture of how important email can be for day to day operations of a business.


After all is said and done and the malware has done its damage, you get an image file popup as well as an HTML page breaking the bad news and going in to detail on how to pay the ransom.



So far this morning, the count we’ve seen for the campaign is about 11.5 million. Ransomware in general is a very big an obvious reason to take backups and security seriously due to the widespread occurrences these days. This email also serves as a great example of why you should never open unknown attachments, and that not all bad emails are going to be poorly worded or obvious in what they’re trying to get you to do.

The United Services Automobile Association, or USAA, is one of the largest financial institutions in the U.S. offering services to U.S. military personnel and their families. Like any financial institution, they are also exploited by cybercriminals in phishing campaigns. It’s so common, in fact, that our AppRiver security research team see these campaigns frequently. Our team has noticed a steady rise in spam blasts involving USAA in an attempt to defraud their customers. One such campaign is shown in the below screenshot.


This particular USAA phishing blast informs the recipient that a pending transaction requires an additional verification process. The email presents a link for the recipient to complete the transaction. Visually, the spoofed email looks just like a typical USAA message. During our investigation, however, we found several red flags that proved otherwise. The URL provided goes to an exploited website which at the time of this writing has been taken down. The email also contains the usual discrepancies found in many phishing campaigns like a rogue sending IP, spoofed sender address, etc. The email in question has also failed some of our SecureTide automated malware tests.

This campaign most likely seeks to obtain personal information from USAA customers for financial theft purposes. Multiple rules have been coded to block this variant and have currently caught around 3600 emails.

Just last week alone, we’ve seen over a handful of other USAA phishing blasts with various payloads. Below is a screenshot of another campaign that we began tracking last week.


This email also visually appears to be legitimate, but the grammatical errors within this message are suspicious. That, coupled with the usual phishing discrepancies and rogue URL, confirmed this also was a spam email. At the time of this article being written, SecureTide has quarantined 2700 emails. As always, AppRiver’s SecureTide customers are protected.


shutterstock_163066760It’s no secret that ransomware has been circulating at a fever pitch on the web as of late. Locky remains the most prolific despite the fact that new variants of ransomware being discovered with greater regularity. This morning we have been monitoring a campaign attempting to distribute Locky to millions of unsuspecting users. We have already quarantined over 3 million emails this morning associated with several different variations attempting to spread Locky. Lately, they seem to have taken a “less is more” approach to their attacks. Most messages have very little aside from some generic phrases along with an attachment, in this case a macro-enabled document. These are also being spoofed to appear to have come from a user at the same domain as the recipient and are posing as a scanned document.

The following is an example of this morning’s traffic:


Once infected, all of the users files are encrypted. This is followed shortly after by a prompt to pay the ransom. Though some current ransomware variants have corresponding tools online to help the victims decrypt their files, none seem to be a viable solution to this threat. A good backup strategy can save you from having to pay the ransom in these attacks. However, we have seen some recent ransomware variants such as CryptXXX that are also stealing the sensitive data in addition to encrypting and this is a trend that we expect to see continue in the future.

Here are a few steps you can take to limit the potential impact of ransomware

  • Maintain several robust layers of prevention
  • Consider banning macro-enabled files throughout your organization
  • No matter how innocuous a message may seem, never open an attachment in an unsolicited email –regular user training to improve
  • Keep regular hot and cold backups

This week’s Threat Thursday focuses on a Monster.com phishing email blast that our AppRiver security research team is monitoring. The campaign attempts to impersonate a job notification email from Monster.com, a job listing website.


The email informs the recipient that there is an exciting job opportunity listed on Monster.com and provides a link to view additional information. The URL redirects to a non-Monster website with the job listing. The listing is for a Mystery Shopper, someone who gets paid to shop at and provide reviews on local stores. The job states that a mystery shopper can receive compensation of $500 per assignment plus reimbursement for any items purchased during an assignment. The website has a form provided for the recipient to fill out in order to apply. This form is used to phish information, like social security numbers, from victims.


There’s not much to this phishing campaign. Both the email and website have a no-frills appearance to them and there wasn’t much variation between the sample messages we came across. We did note several inconsistencies during our brief investigation of this campaign including the sending SMTP server, URL, email formatting etc. Our SecureTide spam filter has quarantined around 4,000 of these messages and will continue to monitor for new variants.

With the imminent release of the iPhone 7, consumers and media outlets alike have been casting their predictions on what’s in store for Apple’s latest smartphone. Rumors and unverified “leaked” images of the mobile device continue to circulate on the Internet. It’s no wonder that cybercriminals seek to take advantage of this golden opportunity by offering consumers a “free iPhone 7.”


This week’s Threat Thursday takes a look at a recent spam campaign featuring Apple’s iPhone 7. The campaign attempts to sell itself as a product test invite for the latest smartphone device. The recipient receives an email offering a chance to test drive a new iPhone 7. Curiously, the email informs the recipient that around 50,000 users will be allowed to test the device in a random lottery-like selection. The email instructs the user to click on the provided link to answer a short survey in order to qualify. And of course, a fake iPhone 7 product test offer wouldn’t be complete without an unofficial photo of the device itself as seen in the screenshot above.

It shouldn’t take too much to spot this as spam. For starters, Apple is known to be very tight-lipped with unreleased products and services. It would be huge change in direction for them to: a) do a mass product test of a new iPhone device, and b) announce such a test via an email blast. We also noticed some irregularities with the email’s source IP, from address and subject line. Coupled with several grammatical errors in the email and you have a not-so-convincing spam email. Better luck next time for these cybercriminals.

AppRiver’s SecureTide engine has several rules in place actively blocking this campaign from reaching our clients. So far over 7,300 emails have been caught and quarantined.