We’ve recently been covering scripting attacks in more detail on the Malware Research blog. These types of attacks have the ability to be completely fileless, as explained in a previous post. However, scripts also sometimes do come in files or accompany file-based malware. The new strain of Spora malware does just this. It uses a file called “pdf.wsf” (seen here and at the time of this writing, no other antivirus software is listed as blocking the file since it’s a script), which will appear as simply “pdf” if the user has the enabled-by-default option of “hide extensions for known file types” on. As demonstrated in another previous blog post, the icon of the file can be easily spoofed to look like a legitimate pdf file. If the victim double-clicks this file, Windows Script Host (wscript.exe) will execute code which will download the rest of the ransomware and attempt to run the executable file either right away or at some future time.
Malware authors primarily use this method of malware distribution in order to evade detection. For example, if a user receives an email with an attachment as a .wsf or .js file, the file will clear most antivirus systems on both their own machine as well as email autoscan systems, as being good since it is not an “executable” .exe file. In this way, the malware author can try to get the executable payload onto the user’s system without them knowing by using the script. The good news is that PC Matic SuperShield will prevent this ransomware from running, just as it has in the past, due to the hooking technology that is used in the product as well as by blocking the malicious script engine commands. As always, don’t open unknown files, use SuperShield, and if you are concerned about file extensions, be sure to turn them on by following these instructions.