Blank Emails With No Subject Delivering Locky And Kovter

Office Macro Malware

Just a quick heads up warning. We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems.

We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware.

The emails received so far today are totally blank, no subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human.


Date: Mon 16/01/2020 23:30 ( arrived 07:35 utc 17 /01/ 2020)

Subject: blank

Attachment: extracts to extracts to 38168891.doc.jse VirusTotal | Payload Security


1bin Locky –

2.bin Kovter

Leave a Reply

Your email address will not be published.

Related Posts