It may be possible that in the upcoming future we may see the group behind the Locky ransomware use MHT (MHTML) files as email attachments and deliver their malicious payload to victims' machines.
Spam is an ever-evolving scene, with new tricks deployed on a regular basis, and old tricks being recycled and thrust out in the wild.
The security researchers at Cisco Talos have come across a new spam campaign that they've detected during a quiet period from the Locky gang.
Fareit spam run used MHT file attachments
This particular spam flood was delivering the Fareit trojan, which is a malware family that can be categorized as an infostealer and malware downloader.
But Fareit is an old threat that was dissected in all ways possible by a slew of security firms. What caught the Talos team's attention was how the spam campaign operated, and more precisely, the file attached to the email lure.
The email, posing as an HSBC payment request, came with an MHT document. MHT stands for MIME HTML, and is a self-contained HTML file, usually generated when saving content via a browser or a Word processor such as the Office suite. An alternative extension for MHT is MHTML.
For this particular campaign, the MHT file downloaded an HTA (HTML Application) file, which is another lesser-known HTML file format alternative. This HTA file downloaded a Visual Basic script, which then downloaded the Fareit malware.
In the past months, Locky used a large number of file types as email attachments, such as JS, WSF, HTA, and others. All these files have one thing in common, and that's the ability to connect online and download other types of content.
MHT files have this ability as well. Knowing how crooks like to borrow from each other's tricks, it's very likely that we may see the Locky gang use MHT files to download and install the Locky ransomware in the near future.
"This is yet another example of adversary evolution," Talos researcher Nick Biasini notes. "As security products continue to evolve and users get smart to various file types, adversaries will keep changing to get users infected."
Spam is an ever-evolving scene, with new tricks deployed on a regular basis, and old tricks being recycled and thrust out in the wild.
The security researchers at Cisco Talos have come across a new spam campaign that they've detected during a quiet period from the Locky gang.
Fareit spam run used MHT file attachments
This particular spam flood was delivering the Fareit trojan, which is a malware family that can be categorized as an infostealer and malware downloader.
But Fareit is an old threat that was dissected in all ways possible by a slew of security firms. What caught the Talos team's attention was how the spam campaign operated, and more precisely, the file attached to the email lure.
The email, posing as an HSBC payment request, came with an MHT document. MHT stands for MIME HTML, and is a self-contained HTML file, usually generated when saving content via a browser or a Word processor such as the Office suite. An alternative extension for MHT is MHTML.
For this particular campaign, the MHT file downloaded an HTA (HTML Application) file, which is another lesser-known HTML file format alternative. This HTA file downloaded a Visual Basic script, which then downloaded the Fareit malware.
In the past months, Locky used a large number of file types as email attachments, such as JS, WSF, HTA, and others. All these files have one thing in common, and that's the ability to connect online and download other types of content.
MHT files have this ability as well. Knowing how crooks like to borrow from each other's tricks, it's very likely that we may see the Locky gang use MHT files to download and install the Locky ransomware in the near future.
"This is yet another example of adversary evolution," Talos researcher Nick Biasini notes. "As security products continue to evolve and users get smart to various file types, adversaries will keep changing to get users infected."
