Analysis by: Cedrick Ramos

Ransomware is a common malicious attachment found in spam mail campaigns. In this particular instance, we found samples of two new spam campaigns sporting Locky ransomware making the rounds.

The first sample is a fake voice message notification with the subject 'Message from [Random Number]'. The body of the message is curt and short, simply telling the reader that they've received a voice message. The second sample is a fake invoice notification from a seemingly random sender. 

Just like the previous sample, the body of the email is plain and simple, with a notice saying that the email was sent from the sender's iPhone. Both spammed mails arrive with a .7z attachment containing a malicious .VBS file inside. 

Both versions of the attached file are discovered to be related to Locky ransomware. Further investigation reveals these malicious attachments are already detected by our solutions as Mal_VBSCRDLX. 

Trend Micro customers are fully protected against all aspects of these spam campaigns, from the spammed mails themselves to their malicious payloads. Users are once more reminded to never click on or open email messages coming from unknown or suspicious senders.
 SPAM BLOCKING DATE / TIME: September 26, 2017 GMT-8
 TMASE INFO
  • ENGINE:8.0
  • PATTERN:3354