A little shift in malware packaging that I got to watch
When we started rejecting email with certain sorts of malware in
it, almost all of the malware (really
ransomware) had a pretty consistent signature; it came as a ZIP
archive (rarely a RAR archive) with a single bad file type in it.
We could easily write a narrowly tailored rule that rejected an
archive with a single
.wsf, and so on file in it.
Even when we didn't have such a rule ourselves, it seems that our
commercial anti-spam system probably had one
itself and so rejected the message.
Of course, nothing stands still in the malware world. A bit later,
we saw some ransomware send messages that had two
.js files in
them (or at least I assume it was ransomware). I extended our
rejection rules to reject these too and didn't think much of it;
at the time it just seemed like one of the random things that
spam and malware and ransomware is always doing.
Fast forward to this past Thursday, when we got hit by a small blizzard of ransomware that was still a single bad file type in a ZIP but this time it was throwing in an extra file. What made the extra file stand out is that the ransomware wasn't giving it any sort of file extension. Based on some temporary additional logging (and a sample or two that I caught), the file names are basic, made up, and actually pretty obviously suspicious; I saw one that was a single letter and another that was entirely some number of spaces.
I assume that this evolution is happening because malware authors
have noticed that anti-spam software has latched on to the rather
distinctive 'single bad file in ZIP' pattern they initially had.
I'm not sure why they used such odd (and distinctive, and suspicious)
additional filenames, but perhaps the ransomware authors wanted to
make it as unlikely as possible that people would get distracted
from clicking on the all-important
.jse or whatever file.
(I now expect things here to evolve again, although I have no idea where to. Files with more meaningful names? More files? Who knows.)