{"id":2548,"date":"2016-07-25T14:07:10","date_gmt":"2016-07-25T07:07:10","guid":{"rendered":"https:\/\/humanit.asia\/?p=2548"},"modified":"2019-07-22T15:02:44","modified_gmt":"2019-07-22T08:02:44","slug":"zepto-ransomware-packed-into-wsf-spam","status":"publish","type":"post","link":"https:\/\/old.humanit.asia\/th\/zepto-ransomware-packed-into-wsf-spam\/","title":{"rendered":"Zepto Ransomware Packed into WSF Spam"},"content":{"rendered":"<div>\n<p>ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.&nbsp;This tactic is a change from the common JavaScript and macro documents being spammed previously.<\/p>\n<p>Here are actual emails featuring familiar social engineering tactics:<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-15849 size-full\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png\" sizes=\"(max-width: 643px) 100vw, 643px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png 643w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1-300x206.png 300w\" alt=\"ransomware spam infected WSF attachment \" width=\"643\" height=\"442\"><\/a><\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/2.png\"><img decoding=\"async\" class=\"aligncenter wp-image-15850 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/2-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/2-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/2-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/2-60x60.png 60w\" alt=\"ransomware spam infected WSF attachment \" width=\"150\" height=\"150\"><\/a><\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/3.png\"><img decoding=\"async\" class=\"aligncenter wp-image-15851 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/3-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/3-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/3-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/3-60x60.png 60w\" alt=\"ransomware spam infected WSF attachment \" width=\"150\" height=\"150\"><\/a><\/p>\n<p>The zip attachments contain the WSF.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15852 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/4-150x82.png\" alt=\"infected WSF file \" width=\"150\" height=\"82\"><\/a><\/p>\n<p><strong>An Interactive Analysis with ThreatAnalyzer<\/strong><\/p>\n<p>To see what we\u2019re dealing with, we turned&nbsp;to ThreatTrack\u2019s <a href=\"https:\/\/www.threattrack.com\/malware-analysis.aspx\">malware analysis sandbox<\/a> ThreatAnalyzer.<\/p>\n<p>We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15853 size-large\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/5-1024x431.png\" sizes=\"(max-width: 960px) 100vw, 960px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/5-1024x431.png 1024w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/5-300x126.png 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/5-768x323.png 768w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/5.png 1307w\" alt=\"Zepto ransomware analysis\" width=\"960\" height=\"404\"><\/a><\/p>\n<p>Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that\u2019s our biggest concern.<\/p>\n<p>There are two captured screen shots from our analysis.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/6.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15854 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/6-150x150.jpg\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/6-150x150.jpg 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/6-180x180.jpg 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/6-60x60.jpg 60w\" alt=\"Zepto ransomware analysis infection screen\" width=\"150\" height=\"150\"><\/a><\/p>\n<p>Expanding the MODIFIED FILES shows this result.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15855 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7-300x300.png 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7-60x60.png 60w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/7.png 514w\" alt=\"ransomware modified files\" width=\"150\" height=\"150\"><\/a><\/p>\n<p>The files affected are renamed with a \u201c.zepto\u201d filename extension.<\/p>\n<p>Given the screenshot and Modified Files artifacts, we can confidently&nbsp;say that this is a variant of the Zepto ransomware.<\/p>\n<p><strong>The WSF Script Behavior<\/strong><\/p>\n<p>Selecting <em>C:WindowsSystem32WScript.exe (3388)<\/em> shows results of the behaviors done by the WSF alone.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15856 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/8-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/8-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/8-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/8-60x60.png 60w\" alt=\"ransomware sandbox analysis\" width=\"150\" height=\"150\"><\/a><\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/9.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15857 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/9-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/9-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/9-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/9-60x60.png 60w\" alt=\"ransomware sandbox analysis\" width=\"150\" height=\"150\"><\/a><\/p>\n<p>It shows that the script created two files and made an HTTP connection to <em>mercumaya.net<\/em>.<\/p>\n<p>Let\u2019s look at the two files in the Temp folder.<\/p>\n<p>This is the binary view of <em>UL43Fok40ii<\/em> file<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/c.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15860 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/c-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/c-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/c-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/c-60x60.png 60w\" alt=\"Zepto ransomware encrypted code\" width=\"150\" height=\"150\"><\/a><\/p>\n<p>This is the <em>UL43Fok40ii.exe<\/em> file.&nbsp; A complete PE file format.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/d.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15861 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/d-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/d-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/d-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/d-60x60.png 60w\" alt=\"ransomware code processes analysis \" width=\"150\" height=\"150\"><\/a><\/p>\n<p>Having only a difference of 4 bytes in&nbsp;size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run&nbsp;by the WSF script with the argument:&nbsp;\u201c321\u201d.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/e.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15862 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/e-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/e-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/e-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/e-60x60.png 60w\" alt=\"ransomware sandbox analysis\" width=\"150\" height=\"150\"><\/a><\/p>\n<p>Expanding the Network connections.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/a.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15858 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/a-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/a-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/a-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/a-60x60.png 60w\" alt=\"ransomware sandbox analysis\" width=\"150\" height=\"150\"><\/a><\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/b.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15859 size-thumbnail\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/b-150x150.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/b-150x150.png 150w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/b-180x180.png 180w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/b-60x60.png 60w\" alt=\"ransomware sandbox analysis\" width=\"150\" height=\"150\"><\/a><\/p>\n<p>With the <em>com.my<\/em> suffix from the resolved host, the server seems to be located in Malaysia.<\/p>\n<p>The HTTP header also indicates&nbsp;that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.<\/p>\n<p>The WSF file executed by the WScript.exe simply downloaded&nbsp;then decrypted a Windows PE file then executed it.<\/p>\n<p><strong>The Downloaded&nbsp;Executable PE file<\/strong><\/p>\n<p>Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/f.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15867 size-full\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/f.png\" sizes=\"(max-width: 530px) 100vw, 530px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/f.png 530w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/f-225x300.png 225w\" alt=\"Zepto ransomware sandbox analysis\" width=\"530\" height=\"706\"><\/a><\/p>\n<ul>\n<li>Posted some info to&nbsp;a server somewhere in Ukraine.<\/li>\n<li>Accessed hundreds of files.<\/li>\n<li>Executed the default browser (Chrome was set as the default browser)<\/li>\n<li>Deleted a file using cmd.exe<\/li>\n<\/ul>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/g.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15869 size-full\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/g.png\" sizes=\"(max-width: 507px) 100vw, 507px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/g.png 507w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/g-300x282.png 300w\" alt=\"ransomware sandbox analysis\" width=\"507\" height=\"477\"><\/a><\/p>\n<ul>\n<li>Connected to shares<\/li>\n<li>Dropped the ransom instructions (_HELP_instructions.html). For every folder where a file got encrypted for ransom, a copy of the _HELP_instructions.html is created.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/h.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15870 size-full\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/h.png\" sizes=\"(max-width: 508px) 100vw, 508px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/h.png 508w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/h-300x252.png 300w\" alt=\"ransomware sandbox analysis help me\" width=\"508\" height=\"427\"><\/a><\/p>\n<ul>\n<li>Created 10 threads<\/li>\n<\/ul>\n<p>The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/i.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15872\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/i.png\" sizes=\"(max-width: 490px) 100vw, 490px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/i.png 490w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/i-261x300.png 261w\" alt=\"i\" width=\"490\" height=\"564\"><\/a><\/p>\n<p>TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/j1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15880\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/j1.png\" sizes=\"(max-width: 620px) 100vw, 620px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/j1.png 620w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/j1-300x195.png 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/j1-75x50.png 75w\" alt=\"j1\" width=\"620\" height=\"404\"><\/a><\/p>\n<p>This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a \u201c.zepto\u201d filename suffix.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/k.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15881\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/k.png\" sizes=\"(max-width: 510px) 100vw, 510px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/k.png 510w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/k-263x300.png 263w\" alt=\"k\" width=\"510\" height=\"581\"><\/a><\/p>\n<p>In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/l.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15882\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/l.png\" sizes=\"(max-width: 512px) 100vw, 512px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/l.png 512w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/l-300x260.png 300w\" alt=\"l\" width=\"512\" height=\"443\"><\/a><\/p>\n<p>Also some notable files that were created. The captured screenshot is the&nbsp;contents of the&nbsp;_HELP_instructions.bmp file.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/m.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15884\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/m.png\" sizes=\"(max-width: 511px) 100vw, 511px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/m.png 511w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/m-300x106.png 300w\" alt=\"m\" width=\"511\" height=\"181\"><\/a><\/p>\n<p>This malware sample attempts to move its running executable to a file in the Temp folder.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/q.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15888\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/q.png\" sizes=\"(max-width: 511px) 100vw, 511px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/q.png 511w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/q-300x69.png 300w\" alt=\"q\" width=\"511\" height=\"118\"><\/a><\/p>\n<p>With Chrome set as the default browser, &nbsp;the malware opens the file _HELP_instructions.html that it previously created&nbsp;in the Desktop. &nbsp;It also, deletes the malware copy from the Temp folder probably a part of it\u2019s&nbsp;clean up phase.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/o.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15886\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/o.png\" sizes=\"(max-width: 520px) 100vw, 520px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/o.png 520w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/o-300x286.png 300w\" alt=\"o\" width=\"520\" height=\"495\"><\/a><\/p>\n<p>Here\u2019s what _HELP_instructions.html looks like when opened in a browser.<\/p>\n<p><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/p.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15887\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/p.png\" sizes=\"(max-width: 574px) 100vw, 574px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/p.png 574w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/p-300x238.png 300w\" alt=\"p\" width=\"574\" height=\"455\"><\/a><\/p>\n<p>The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.<\/p>\n<p><strong>Prevent Ransomware<\/strong><\/p>\n<p>Syndicates behind today\u2019s&nbsp;ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked&nbsp;by&nbsp;using Windows Scripting Files in hopes to pass through email&nbsp;gateways that don\u2019t block WSF files in attachments.<\/p>\n<p>To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including <a href=\"https:\/\/www.vipreantivirus.com\/business\/endpoint-security.aspx\">advanced endpoint protection<\/a> like VIPRE Endpoint Security, a <a href=\"https:\/\/www.threattrack.com\/malware-analysis.aspx\">malware behavior analysis tool<\/a> like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like <a href=\"https:\/\/www.threattrack.com\/network-security-threats.aspx\">ThreatSecure<\/a>. And regularly back up all your critical data.<\/p>\n<p>VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.<\/p>\n<p>The post <a href=\"https:\/\/blog.threattrack.com\/ransomware-packed-into-wsf-spam\/\" rel=\"nofollow\">Zepto Ransomware Packed into WSF Spam<\/a> appeared first on <a href=\"https:\/\/blog.threattrack.com\/\" rel=\"nofollow\">ThreatTrack Security Labs Blog<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/threattracksecurity\/~4\/MEfPqiccA2A\" alt=\"\" width=\"1\" height=\"1\"><\/p>\n<\/div>\n<p class=\"wpematico_credit\"><small>Powered by <a href=\"http:\/\/www.wpematico.com\" target=\"_blank\" rel=\"noopener noreferrer\">WPeMatico<\/a><\/small><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ThreatTrack Labs has recently observed a surge of spam  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110],"tags":[],"class_list":["post-2548","post","type-post","status-publish","format-standard","hentry","category-security-th"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Zepto Ransomware Packed into WSF Spam - humanit managed services<\/title>\n<meta name=\"description\" content=\"ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/old.humanit.asia\/mefpqicca2a\/\" \/>\n<meta property=\"og:locale\" content=\"th_TH\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zepto Ransomware Packed into WSF Spam - humanit managed services\" \/>\n<meta property=\"og:description\" content=\"ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/old.humanit.asia\/mefpqicca2a\/\" \/>\n<meta property=\"og:site_name\" content=\"humanit managed services\" \/>\n<meta property=\"article:published_time\" content=\"2016-07-25T07:07:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-22T08:02:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png\" \/>\n<meta name=\"author\" content=\"Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 \u0e19\u0e32\u0e17\u0e35\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/th\\\/zepto-ransomware-packed-into-wsf-spam\\\/\"},\"author\":{\"name\":\"Admin\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\"},\"headline\":\"Zepto Ransomware Packed into WSF Spam\",\"datePublished\":\"2016-07-25T07:07:10+00:00\",\"dateModified\":\"2019-07-22T08:02:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/th\\\/zepto-ransomware-packed-into-wsf-spam\\\/\"},\"wordCount\":798,\"image\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/07\\\/1.png\",\"articleSection\":[\"Security\"],\"inLanguage\":\"th\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/th\\\/zepto-ransomware-packed-into-wsf-spam\\\/\",\"url\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/\",\"name\":\"Zepto Ransomware Packed into WSF Spam - humanit managed services\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/07\\\/1.png\",\"datePublished\":\"2016-07-25T07:07:10+00:00\",\"dateModified\":\"2019-07-22T08:02:44+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\"},\"description\":\"ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#breadcrumb\"},\"inLanguage\":\"th\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"th\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/07\\\/1.png\",\"contentUrl\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/07\\\/1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/mefpqicca2a\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/old.humanit.asia\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Zepto Ransomware Packed into WSF Spam\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#website\",\"url\":\"https:\\\/\\\/old.old.humanit.asia\\\/\",\"name\":\"humanit managed services\",\"description\":\"making technology easy\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/old.old.humanit.asia\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"th\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\",\"name\":\"Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"th\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"caption\":\"Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zepto Ransomware Packed into WSF Spam - humanit managed services","description":"ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/old.humanit.asia\/mefpqicca2a\/","og_locale":"th_TH","og_type":"article","og_title":"Zepto Ransomware Packed into WSF Spam - humanit managed services","og_description":"ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.","og_url":"https:\/\/old.humanit.asia\/mefpqicca2a\/","og_site_name":"humanit managed services","article_published_time":"2016-07-25T07:07:10+00:00","article_modified_time":"2019-07-22T08:02:44+00:00","og_image":[{"url":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png","type":"","width":"","height":""}],"author":"Admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Admin","Est. reading time":"4 \u0e19\u0e32\u0e17\u0e35"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#article","isPartOf":{"@id":"https:\/\/old.humanit.asia\/th\/zepto-ransomware-packed-into-wsf-spam\/"},"author":{"name":"Admin","@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c"},"headline":"Zepto Ransomware Packed into WSF Spam","datePublished":"2016-07-25T07:07:10+00:00","dateModified":"2019-07-22T08:02:44+00:00","mainEntityOfPage":{"@id":"https:\/\/old.humanit.asia\/th\/zepto-ransomware-packed-into-wsf-spam\/"},"wordCount":798,"image":{"@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png","articleSection":["Security"],"inLanguage":"th"},{"@type":"WebPage","@id":"https:\/\/old.humanit.asia\/th\/zepto-ransomware-packed-into-wsf-spam\/","url":"https:\/\/old.humanit.asia\/mefpqicca2a\/","name":"Zepto Ransomware Packed into WSF Spam - humanit managed services","isPartOf":{"@id":"https:\/\/old.old.humanit.asia\/#website"},"primaryImageOfPage":{"@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#primaryimage"},"image":{"@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png","datePublished":"2016-07-25T07:07:10+00:00","dateModified":"2019-07-22T08:02:44+00:00","author":{"@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c"},"description":"ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware.","breadcrumb":{"@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#breadcrumb"},"inLanguage":"th","potentialAction":[{"@type":"ReadAction","target":["https:\/\/old.humanit.asia\/mefpqicca2a\/"]}]},{"@type":"ImageObject","inLanguage":"th","@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#primaryimage","url":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png","contentUrl":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/07\/1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/old.humanit.asia\/mefpqicca2a\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/old.humanit.asia\/"},{"@type":"ListItem","position":2,"name":"Zepto Ransomware Packed into WSF Spam"}]},{"@type":"WebSite","@id":"https:\/\/old.old.humanit.asia\/#website","url":"https:\/\/old.old.humanit.asia\/","name":"humanit managed services","description":"making technology easy","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/old.old.humanit.asia\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"th"},{"@type":"Person","@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c","name":"Admin","image":{"@type":"ImageObject","inLanguage":"th","@id":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","caption":"Admin"}}]}},"_links":{"self":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/comments?post=2548"}],"version-history":[{"count":1,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2548\/revisions"}],"predecessor-version":[{"id":2565,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2548\/revisions\/2565"}],"wp:attachment":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/media?parent=2548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/categories?post=2548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/tags?post=2548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}