There is a possibility that, in the near future, the Locky`s criminal gang may start to use MHT (MHTML) files as spam email attachments to infect targets with their malicious payload.
The spam distribution technique is evolving by the minute with hackers constantly coming up with newer and newer ideas. Recently, the Cisco Talos security researchers detected a new spam distribution campaign during a quiet period from the Locky developers.
This time, the spam emails are spreading the Fareit Trojan also categorized as a malware downloader and an infostealer. Fareit is an old threat but what surprised the experts in this particular spam flood was the file attachment they use to trick users.
The messages are pretending to be an HSBC payment request and the file attached to them is an MHT documents. MHT is a self-contained HTML file, which is usually created when a content is being saved via a browser or a Word processor such as the Office suite. MHT stands for MIME HTML and its alternative extension is MHTML.
The MHT file downloads an HTA (HTML Application) file, which then downloads a Visual Basic script and, finally, the Visual Basic script itself installs the Fareit Trojan.
During the last couple of months, the Locky gang used many files types as malicious attachments, such as WSF, HTA, JS, etc. What all of them have in common is the ability to connect online and install other applications.
MHT files are also capable of doing that and, given the fact how hackers like to borrow ideas from each other, very soon we may see the Locky ransomware being spread with MHT malicious files.
“This is yet another example of adversary evolution.” – Talos researcher Nick Biasini notes. – “As security products continue to evolve and users get smart to various file types, adversaries will keep changing to get users infected.”