Zepto Ransomware, The New Kid in Town

HTA Downloader delivers Zepto Ransomware

Attack Vector: Email Attachment
Malicious File: it5Ax.hta

The Zepto sample that we found this morning came in as a zipped email attachment that contained an HTML Application (.hta) file. HTA files are a combination of HTML and one or more scripting languages like VBScript or JScript. A quick look at this file below shows it is a combination of HTML with obfuscated JScript. One of the significant dangers with HTA files is once the file is downloaded and run, it is treated as a “fully trusted application”. Whereas when a regular HTML file is run the execution is confined to the security model of the web browser.

We’ve seen Zepto and its cousin Locky arrive in DOCM attachments in recent months and I am not surprised to see the evolution to HTA files. DOCM which stands for Document with Macros is a special document with embedded scripts written in VBA (Visual Basic Application). Macros however don’t run by themselves and require user assistance. Weather the file is an HTA or a DOCM, the result is the same; once run it downloads the malware from its C2 and runs it.

HTA Encoded JScript Downloader
HTA Encoded JScript Downloader
Exploit and Post Infection Traffic
Exploit and Post Infection Traffic

Post Compromise your files will be encrypted and file extensions changed to .zepto similar to Locky which changes your file extensions to .locky.

Post Compromise the file extensions changed to .zepto
Post Compromise the file extensions changed to .zepto

How to pay instructions will appear on the user Desktop and in every directory explaining your predicament.

Desktop Image displays Instructions
Desktop Image displays Instructions

Your personal identification ID in the help message is the same as the first half of each scrambled filename.

Locky and Zepto Ransomware are similar in several regards, for example both are distributed primarily in massive spam campaigns via zipped JScript attachments and they both leave behind the same type of files including a similar ransom note.

We expect to see more malware payloads sent as HTA documents so take a few precautions such as:

  • Change settings in control panel to show file extensions to protect against misleading file names.
  • Configure Office settings to not allow macros in documents to run from the internet.
  • Always open .JS files in Notepad.
  • Backup your files regularly.
  • Treat all attachments as suspect.

Phish – Credential Harvester

We have been seeing a wave of USAA Phish in the last few months. All of the hooks are similar i.e. “suspicious activity detected on your account please login”, “Update your records”etc. The emails have all contained a PDF attachment with a link to credential harvesting site. In this example we have a PDF attachment prompting user to get a online document.

        Sender: usa-security@whosay.com
        Subject: Suspicious Activity Detected
        Malicious Domain: aryasanatco.ir
        Malicious URI: /cache/mon.html

        Attachment: UPDATE SERVICE.pdf



Hovering over the link in the email exposes the credential harvesting site aryasanatco[.]ir/cache/mon.html.


  • Always hover over links to see the actual URL
  • Avoid the temptation of clicking links on phones. Hackers take advantage of those small screens.