The cyber security researchers at Cisco Talos have revealed a new spam campaign by the coders of Locky ransomware, which involves the MHT files, added to the fake e-mails as attachments. The MHT file format refers to MHTML (Mime HTML) files, which are archives used for websites on the IE (Internet Explorer) web browser. This type of archives, within HTML code, can contain javascript, flash files, images, audio files, external links, etc.
The MHT file is attached to the spam e-mail, which is supposedly send from HSBC, a British-based international banking and financial services company, and it is called Bill Payment Advice, namely, Payment_Advice.mht. When the attachment is opened, it downloads the HTA file, which contains a VBScript (Visual Basic Script), which, then, downloads the Fareit trojan – the downloader of the Locky ransomware.
The customers of HSBC banking company has reported the issue to their banking services provider. On their behalf, the representatives of HSBC gave an account of the event to the security analysts of the Cisco Talos company. This new spam campaign by the developers of Locky cryptomalware is still in its infancy. However, users are warned to be suspicious of spam e-mails, supposedly sent from HSBC company and containing the Payment Advice MHT file.
Sources: blog.talosintel.com and bleepingcomputer.com.
