The operators of the Locky file-encrypting ransomware have switched tactics for a new wave of nasty spam in August.
Bleeping Computer reported at the time that Locky-loaded spam usually contained bogus invoice attachments that if opened would display gibberish below instructions to “enable macro if the data encoding is incorrect”.
The latest Locky tactic is the use of DOCM format attachments, according to researchers at FireEye. The .docm extension refers to a Macro-enabled Word document, which Microsoft introduced alongside the more familiar .docx extension in Office 2007.
The spam was directed at recipients across the world, but by far the most affected nation was the US, which accounted for half of the malicious attachments detected by FireEye. It was followed by several Asia Pacific nations, including Japan, Korea, Thailand, Singapore, Hong Kong, and Malaysia. Australia was 12th on FireEye’s list of affect nations.
Industry-wise, FireEye says healthcare was the heaviest hit by the three waves of spam containing Locky ransomware.
Spam dated August 9 includes a “Documents Requested” subject field with an attachment titled “Untitled(354).docm". A second sample from August 11 had the subject header “New Doc 41-62” with an attachment “New Doc 41-62.docm”. A third on 15 August was titled “Emailing - 1050742880188” with the attachment’s title containing only the number, and a message that “Vicky has asked me to forward you the finance documents (Please see attached)”.
TrendMicro found .docm attachments in a spam campaign from 2014 that was used to spread the banking malware Zbot or Zeus. Recipients had to enable macros to become infected. TrendMicro noted that .DOCM files were an uncommon infection vector since it was still a relatively new format.