Evolving spam campaigns issuing a new type of ransomware are using different decoy files, researchers said.
Jaff is the new ransomware family that emerged in early May, and has been distributed through the Necurs spam botnet, said researchers at Trustwave.
This comes on the heels of Necurs starting back up in April.
Jaff ended up developed by the same group behind Locky and Dridex, researchers said.
The distribution campaign uses PDF files attached to the spam emails, but with Word documents hidden inside. The email subject ranges from fake invoice notifications to fake payment receipts, and from image scans to random file copies.
The Word document inside the PDF file is meant to download and drop a malware executable, researchers said. The PDF campaigns have been evolving almost daily, with a larger number of embedded files discovered inside recent attachments and with additional layers of obfuscation, Trustwave researchers said.
“These additional files do nothing, and are probably just decoys. But the main .docm file, with its malicious macro, still acts as the malware downloader,” Trustwave’s Homer Pacag said in a blog post.
The PDF file contains an exportDataObject Launch instruction to drop and launch the embedded .docm file. When enabled, the Word document’s vbaProject macro component starts downloading the Jaff ransomware from a specific URL.