Introduction I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something I've covered previously in ISC diaries [1, 2]. However, the traffic patterns he saw was somewhat different than I've seen, so I figured it's time to revisit this type of malspam. Details This particular wave of .js malspam started on Wednesday 2016-02-03, and these emails were reported by My Online Security the same day [3]. We continued to see this malspam on Thursday 2016-02-04. I found 13 messages with the following subject lines during the past two days:
Attachments names were different for each of the 13 messages:
Each of the attachments were zip files that contained a .js file. The .js file is typically launched by Windows Script Host (wscript.exe) when the file is double-clicked on a Windows desktop. The script in these .js files is highly-obfuscated. ISC Handler Xavier Mertens wrote a diary on how to examine these scripts [4]; however, I prefer to execute the .js files and see where the traffic takes us. Traffic and malware Each of the scripts tried to download and execute three malware items. The HTTP requests were:
I tried all 13 of the extracted .js files and saw the same URL patterns. Unfortunately, by the time I ran these .js files, the malware was no longer available. Fortunately, others had already ran the malware through different online tools, and I was able to find all three items downloaded by the .js files. script.php_wndz1.jpg - 255.5 KB (261,632 bytes) - File type: Windows EXE script.php_wndz2.jpg - 159.5 KB (163,328 bytes) - File type: Windows EXE script.php_wndz3.jpg - 84.5 KB (86,528 bytes) - File type: Windows EXE Based on the callback traffic reported on the first sample, that file appears to be CryptoWall. I haven't had the time to dig into the other two items. Final words After posting this diary, someone deobfuscated the script from the .js files and emailed me the results (Thanks Ali!). Images of the work are included below.
The malspam and malware samples can be found here. My thanks to Chris, who emailed me about this most recent wave of malspam. --- References: [1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/ |
Brad 433 Posts ISC Handler Feb 7th 2016 |
Thread locked Subscribe |
Feb 7th 2016 6 years ago |
(I hope chars such as backslashes don't get removed while posting this)
D:\>assoc .js .js=JSFile D:\>ftype jsfile jsfile=C:\Windows\System32\WScript.exe "%1" %* I don't see any reasons why I would want to automatically execute Javascript files on my PC, so I edited the registry, under key HKEY_CLASSES_ROOT\JSFile\Shell\: Subkey Open\Command\ Old: (Default)=C:\Windows\System32\WScript.exe "%1" %* New: (Default)=C:\Windows\System32\Notepad.exe %1 Subkey Open\Command2\ Old: (Default)=C:\Windows\System32\CScript.exe "%1" %* New: (Default)=C:\Windows\System32\Notepad.exe %1 Note: the "New" value was copied from subkey Edit\Command\, valuename "(Default)". Result: D:\>ftype jsfile jsfile=C:\Windows\System32\Notepad.exe %1 If this breaks anything, I'll let the readers know in a folluw-up post. |
Erik van Straten 129 Posts |
Quote |
Feb 5th 2016 6 years ago |
Hmm, interesting, I posted the contribution above logged on as Erik van Straten (at the top of the page it reads "Welcome back, Erik van Straten!" so I /am/ logged on), but according to the sidebar the message was posted by "Anonymous".
Ah, the issue fixes itself after some time has passed. Sorry for bothering you! Erik van Straten |
Erik van Straten 129 Posts |
Quote |
Feb 5th 2016 6 years ago |
Quoting Erik van Straten: Windows Resource Protection or updates to the Windows Script Host will restore (thanks to "component based servicing") the original command lines. [HKEY_CLASSES_ROOT\jsfile\Shell] @="Edit" is less invasive and shows the same result. |
Anonymous |
Quote |
Feb 5th 2016 6 years ago |
Hi Brad,
I have analyzed phishing emails that looked very similar. It was Cryptowall, Pony Downloader and Andromeda. Not only are they ransoming the victim they are stealing creds and wallets. |
Isif 5 Posts |
Quote |
Feb 8th 2016 6 years ago |
Quoting Isif:It was Cryptowall, Pony Downloader and Andromeda. Not only are they ransoming the victim they are stealing creds and wallets. Thanks for the info. Yeah, they're going after more than just a one-time ransom. |
Brad 433 Posts ISC Handler |
Quote |
Feb 18th 2016 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!