SANS Internet Storm Center

Malicious spam continues to serve zip archives of javascript files
Introduction In January 2015, the Asprox botnet switched from sending malware attachments to spamming pornography and diet-related scams [1]. Since then, we've noticed an increase is a different type of malicious spam (malspam). This malspam has zip attachments containing javascript files (.js), and it uses the same type of subject lines we saw from the Asprox botnet prior to 2015 [1]. We still see malspam using zipped .js attachments. One popular theme with this sort of malspam is fake resumes [2]. A reader sent us an example last week on Friday 2015-07-24 [3]. That example infected a computer with CryptoWall 3.0 when we checked it out in our lab environment. We saw a different malspam campaign on Monday 2015-07-27 deliver Kovter and Miuref/Boaxxe. The malspam As usual, botnet-based malspam comes from a variety of sources, and it uses variations for the subject line. There's no easy way to filter your queries when trying to retrieve this sort of malspam. After a bit of searching on Monday 2015-07-27, we found malspam spoofing E-ZPass toll charges, FedEx delivery, and a notice to appear in court. I gathered seven of these malspam examples. Details follow: Date/time: 2015-07-27 08:28 UTC From: "E-ZPass Manager" ( maurice.mccarthy@server.neleryaptik.com ) Subject: Indebtedness for driving on toll road #00383521 Attachment name: Invoice_00383521.zip - 1,834 bytes - MD5 hash: 9225b83e28ee6bc7cd45e99e50848bc6 Extracted file: Invoice_00383521.doc.js - 11,387 bytes - MD5 hash: c4754dadf67b40e96ecf50694d90e9eb Date/time: 2015-07-27 08:45 UTC From: "E-ZPass Support" ( julio.miller@enggdesign.com ) Subject: Payment for driving on toll road, invoice #000460414 Attachment name: E-ZPass_Invoice_000460414.zip - 1,841 bytes - MD5 hash: 509e4f3dd518113e665423d0068f5d7e Extracted file: E-ZPass_Invoice_000460414.doc.js - 11,709 bytes - MD5 hash: 4750ea90c5c31ab622153025e0537d60 Date/time: 2015-07-27 11:10 UTC From: "E-ZPass Support" ( franklin.belcher@whizpress.com ) Subject: Indebtedness for driving on toll road #00000708707 Attachment name: 00000708707.zip - 1,826 bytes - MD5 hash: 25f07fc22952453665a2c1b6deb0b9d8 Extracted file: 00000708707.doc.js - 11,454 bytes - MD5 hash: 1be977c85a8c4fc9ca6b6be0e41510d7 Date/time: 2015-07-27 12:12 UTC From: "County Court" ( seth.herring@navratanindia.com ) Subject: Notice to appear in Court #00336511 Attachment name: Notice_to_Appear_00336511.zip - 1,878 bytes - MD5 hash: 9efe9f44061259a53b32758c77ae8772 Extracted file: Notice_to_Appear_00336511.doc.js - 11,208 bytes - MD5 hash: d84a2d821108301077b681f4a93ecefc Date/time: 2015-07-27 12:32 UTC From: "FedEx Standard Overnight" ( eric.bowman@33d33.com ) Subject: Courier was unable to deliver the parcel, ID00888397 Attachment name: 00888397.zip - 1,803 bytes - MD5 hash: 594f788933ab6dc05ffc03f528e11c58 Extracted file: 00888397.doc.js - 11,430 bytes - MD5 hash: 2a90f4866bc98479ab5b0c44c8add551 Date/time: 2015-07-27 12:56 UTC From: "E-ZPass Agent" ( sam.hickman@203-189-109-222.virt.lolipop.jp ) Subject: Indebtedness for driving on toll road #00118934 Attachment name: E-ZPass_Invoice_00118934.zip - 1,883 bytes - MD5 hash: d0642234e722f9d9bcd9486c1c6bbb44 Extracted file: E-ZPass_Invoice_00118934.doc.js - 11,973 bytes - MD5 hash: 6af16117fe73ca903884c3684099c695 Date/time: 2015-07-27 14:39 UTC From: "E-ZPass Agent" ( marcus.blackburn@sg2nw8shg132.shr.prod.sin2.secureserver.net ) Subject: Indebted for driving on toll road #0000161034 Attachment name: E-ZPass_0000161034.zip - 1,798 bytes - MD5 hash: c616720fa03b0238459830466657e80c Extracted file: E-ZPass_0000161034.doc.js - 11,064 bytes - MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea The attachment Extract the .js file from the zip archive, and you'll find a highly obfuscated javascript. This is merely a javascript-based file downloader. Tools like jsdetox can deobfuscate the script for you. However, you can easily execute the .js file on a Windows virtual machine to find URLs for the malware. Below is a Wireshark display of traffic generated after executing all seven of the .js files found on 2015-07-27. The IP addresses and domains hosting the follow-up malware are: 209.200.253.29 - avolonage.com 67.195.61.46 - ayuso-arch.com 205.144.171.10 - brigand-001-site2.smarterasp.net 50.116.104.205 - ihaveavoice2.com 205.144.171.57 - mes-sy.com 67.195.61.46 - mrflapper.com 205.144.171.28 - readysetgomatthew.com 174.137.191.22 - selmaryachtmarket.com 104.28.20.89 - www.alec.gr The traffic I infected a Windows host in a lab environment with one of the .js files, E-ZPass_0000161034.doc.js (MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea). This provided a full infection chain of traffic. Three EXE files were downloaded by the .js file. We then saw HTTP POST requests associated with Kovter malware. Traffic also triggered an alert for Miuref/Boaxxe. Later in the pcap, we see click-fraud activity. Click on the above image for a full-size view. Below are alerts for the infection traffic using Security Onion with the EmergingThreats signature set. HTTP GET requests for the three EXE files happened first. All were identified as images in the HTTP response headers, but they were clearly executable files. Below is an example of callback traffic from the Kovter malware. Below is an example of callback traffic from Miuref/Boaxxe. Below is a Wireshark display for some of the click-fraud traffic seen. The malware Below are examples of EXE files from the infected host: Kovter - C:\Users\username\AppData\Local\Temp\36140203.exe - 508.1 KB ( 520,246 bytes ) - hybrid-analysis link Miuref/Boaxxe - C:\Users\username\AppData\Local\Temp\50728360.exe - 84.0 KB ( 86016 bytes ) - hybrid-analysis link Third executable - not found on host - 1.5 KB ( 1536 bytes ) - hybrid-analysis link A pcap of the 2015-07-27 malspam infection traffic is available at: http://malware-traffic-analysis.net/2015/07/27/2015-07-27-malspam-infection-traffic.pcap A zip file of the associated malware and sanitized malspam examples is available at: http://malware-traffic-analysis.net/2015/07/27/2015-07-27-malspam-associated-malware.zip The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. Final words Malspam with zipped .js attachments has continued since I first looked into it earlier this year. We're fairly certain this style of malspam will remain an issue. Most spam filters keep these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue to send malicious content to the world's inboxes, we should always remain aware of the current threat landscape. --- Brad Duncan ISC Handler and Security Researcher at Rackspace Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic References: [1] https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/ [2] https://www.trustwave.com/Resources/SpiderLabs-Blog/Cryptowall-and-phishing-delivered-through-JavaScript-Attachments/ [3] https://malwr.com/analysis/ODRiNDRlNDIxYmM0NDRmZThjYWExZTI1OGY5MDJkOWU/	Brad 423 Posts ISC Handler Jul 29th 2015
Thread locked Subscribe	Jul 29th 2015 6 years ago
Looking at the default attachment zapper in MimeDefang that I installed back in 2012, I see .js and .jse attachments are automatically sent to oblivion. Can't imagine any users complaining about that one. IMO the Internet has become fairly safe, except for the careless and negligent. Sadly that appears to include a rather large slice of the population, including the US Office of Personnel Management and the US Census Bureau. The Australian government has deflected all attacks since 2012 when consistent patching was mandated, admin access limited to actual need, and application whitelisting applied in critical areas.	Starlight 34 Posts
Quote	Jul 29th 2015 6 years ago
Thanks for the feedback, Starlight. There shouldn't be a business reason to allow these sorts of files. Malspam with these sorts of attachments can easily be blocked. Other botnet-based malspam sends zipped EXE files, which are also easily filtered. I look at this is another fairly futile attempt to spew more malware to the world's inboxes.	Brad 423 Posts ISC Handler
Quote	Jul 29th 2015 6 years ago
Brad, When normally executed would the user need to download the zip file, unzip the .js file and manually run the .js file or does infection occur automatically?	SasK 12 Posts
Quote	Jul 29th 2015 6 years ago
Sask, Yes, the user would need to get the zip file from their email, extracted the .js file from the zip, then double-click on the .js file. If the .js file isn't run, the computer shouldn't become infected.	Brad 423 Posts ISC Handler
Quote	Jul 29th 2015 6 years ago
If they can even see the ".js" because Microsoft nicely hides extensions. Or because their unzipper has the default column width too small as in "NewCreditCardApplicationApproval.js" Or better yet, because their email system simply cannot open archive files so they just let them through. This one still astounds me in 2015. And my favorite is disabling the built-in attachment extension blocking hat is part of Outlook "because people need to email those kinds of files". Yeah, no, they don't. Just this week we got hit with the old ".exe in a .zip" from a HIPAA business associate, a big one in this area. We stopped them all at the gateway but they didn't even know until we called them.	Anonymous
Quote	Jul 29th 2015 6 years ago
Our job too often it to protect people from their own negligence. We were getting regular alerts from one senior manager. The person was not happy that we talked to her. The reply? "I'm too busy to read all of these emails. If there is a link in it I'm supposed to click it." And my favorite? "You know me, I'm a clicker!"	Anonymous
Quote	Jul 29th 2015 6 years ago

Introduction

In January 2015, the Asprox botnet switched from sending malware attachments to spamming pornography and diet-related scams [1]. Since then, we've noticed an increase is a different type of malicious spam (malspam). This malspam has zip attachments containing javascript files (.js), and it uses the same type of subject lines we saw from the Asprox botnet prior to 2015 [1].

We still see malspam using zipped .js attachments. One popular theme with this sort of malspam is fake resumes [2]. A reader sent us an example last week on Friday 2015-07-24 [3]. That example infected a computer with CryptoWall 3.0 when we checked it out in our lab environment.

We saw a different malspam campaign on Monday 2015-07-27 deliver Kovter and Miuref/Boaxxe.

The malspam

As usual, botnet-based malspam comes from a variety of sources, and it uses variations for the subject line. There's no easy way to filter your queries when trying to retrieve this sort of malspam. After a bit of searching on Monday 2015-07-27, we found malspam spoofing E-ZPass toll charges, FedEx delivery, and a notice to appear in court.

I gathered seven of these malspam examples. Details follow:

Date/time: 2015-07-27 08:28 UTC
From: "E-ZPass Manager" ( maurice.mccarthy@server.neleryaptik.com )
Subject: Indebtedness for driving on toll road #00383521
Attachment name: Invoice_00383521.zip - 1,834 bytes - MD5 hash: 9225b83e28ee6bc7cd45e99e50848bc6
Extracted file: Invoice_00383521.doc.js - 11,387 bytes - MD5 hash: c4754dadf67b40e96ecf50694d90e9eb

Date/time: 2015-07-27 08:45 UTC
From: "E-ZPass Support" ( julio.miller@enggdesign.com )
Subject: Payment for driving on toll road, invoice #000460414
Attachment name: E-ZPass_Invoice_000460414.zip - 1,841 bytes - MD5 hash: 509e4f3dd518113e665423d0068f5d7e
Extracted file: E-ZPass_Invoice_000460414.doc.js - 11,709 bytes - MD5 hash: 4750ea90c5c31ab622153025e0537d60

Date/time: 2015-07-27 11:10 UTC
From: "E-ZPass Support" ( franklin.belcher@whizpress.com )
Subject: Indebtedness for driving on toll road #00000708707
Attachment name: 00000708707.zip - 1,826 bytes - MD5 hash: 25f07fc22952453665a2c1b6deb0b9d8
Extracted file: 00000708707.doc.js - 11,454 bytes - MD5 hash: 1be977c85a8c4fc9ca6b6be0e41510d7

Date/time: 2015-07-27 12:12 UTC
From: "County Court" ( seth.herring@navratanindia.com )
Subject: Notice to appear in Court #00336511
Attachment name: Notice_to_Appear_00336511.zip - 1,878 bytes - MD5 hash: 9efe9f44061259a53b32758c77ae8772
Extracted file: Notice_to_Appear_00336511.doc.js - 11,208 bytes - MD5 hash: d84a2d821108301077b681f4a93ecefc

Date/time: 2015-07-27 12:32 UTC
From: "FedEx Standard Overnight" ( eric.bowman@33d33.com )
Subject: Courier was unable to deliver the parcel, ID00888397
Attachment name: 00888397.zip - 1,803 bytes - MD5 hash: 594f788933ab6dc05ffc03f528e11c58
Extracted file: 00888397.doc.js - 11,430 bytes - MD5 hash: 2a90f4866bc98479ab5b0c44c8add551

Date/time: 2015-07-27 12:56 UTC
From: "E-ZPass Agent" ( sam.hickman@203-189-109-222.virt.lolipop.jp )
Subject: Indebtedness for driving on toll road #00118934
Attachment name: E-ZPass_Invoice_00118934.zip - 1,883 bytes - MD5 hash: d0642234e722f9d9bcd9486c1c6bbb44
Extracted file: E-ZPass_Invoice_00118934.doc.js - 11,973 bytes - MD5 hash: 6af16117fe73ca903884c3684099c695

Date/time: 2015-07-27 14:39 UTC
From: "E-ZPass Agent" ( marcus.blackburn@sg2nw8shg132.shr.prod.sin2.secureserver.net )
Subject: Indebted for driving on toll road #0000161034
Attachment name: E-ZPass_0000161034.zip - 1,798 bytes - MD5 hash: c616720fa03b0238459830466657e80c
Extracted file: E-ZPass_0000161034.doc.js - 11,064 bytes - MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea

The attachment

Extract the .js file from the zip archive, and you'll find a highly obfuscated javascript. This is merely a javascript-based file downloader.

Tools like jsdetox can deobfuscate the script for you. However, you can easily execute the .js file on a Windows virtual machine to find URLs for the malware. Below is a Wireshark display of traffic generated after executing all seven of the .js files found on 2015-07-27.

The IP addresses and domains hosting the follow-up malware are:

209.200.253.29 - avolonage.com
67.195.61.46 - ayuso-arch.com
205.144.171.10 - brigand-001-site2.smarterasp.net
50.116.104.205 - ihaveavoice2.com
205.144.171.57 - mes-sy.com
67.195.61.46 - mrflapper.com
205.144.171.28 - readysetgomatthew.com
174.137.191.22 - selmaryachtmarket.com
104.28.20.89 - www.alec.gr

The traffic

I infected a Windows host in a lab environment with one of the .js files, E-ZPass_0000161034.doc.js (MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea). This provided a full infection chain of traffic. Three EXE files were downloaded by the .js file. We then saw HTTP POST requests associated with Kovter malware. Traffic also triggered an alert for Miuref/Boaxxe. Later in the pcap, we see click-fraud activity.

Click on the above image for a full-size view.

Below are alerts for the infection traffic using Security Onion with the EmergingThreats signature set.

HTTP GET requests for the three EXE files happened first. All were identified as images in the HTTP response headers, but they were clearly executable files.

Below is an example of callback traffic from the Kovter malware.

Below is an example of callback traffic from Miuref/Boaxxe.

Below is a Wireshark display for some of the click-fraud traffic seen.

The malware

Below are examples of EXE files from the infected host:

Kovter - C:\Users\username\AppData\Local\Temp\36140203.exe - 508.1 KB ( 520,246 bytes ) - hybrid-analysis link
Miuref/Boaxxe - C:\Users\username\AppData\Local\Temp\50728360.exe - 84.0 KB ( 86016 bytes ) - hybrid-analysis link
Third executable - not found on host - 1.5 KB ( 1536 bytes ) - hybrid-analysis link

A pcap of the 2015-07-27 malspam infection traffic is available at:

http://malware-traffic-analysis.net/2015/07/27/2015-07-27-malspam-infection-traffic.pcap

A zip file of the associated malware and sanitized malspam examples is available at:

http://malware-traffic-analysis.net/2015/07/27/2015-07-27-malspam-associated-malware.zip

The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask.

Final words

Malspam with zipped .js attachments has continued since I first looked into it earlier this year. We're fairly certain this style of malspam will remain an issue. Most spam filters keep these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue to send malicious content to the world's inboxes, we should always remain aware of the current threat landscape.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/
[2] https://www.trustwave.com/Resources/SpiderLabs-Blog/Cryptowall-and-phishing-delivered-through-JavaScript-Attachments/
[3] https://malwr.com/analysis/ODRiNDRlNDIxYmM0NDRmZThjYWExZTI1OGY5MDJkOWU/

Brad

423 Posts
ISC Handler

Jul 29th 2015

Looking at the default attachment zapper in MimeDefang that I installed back in 2012, I see .js and .jse attachments are automatically sent to oblivion. Can't imagine any users complaining about that one.

IMO the Internet has become fairly safe, except for the careless and negligent. Sadly that appears to include a rather large slice of the population, including the US Office of Personnel Management and the US Census Bureau.

The Australian government has deflected all attacks since 2012 when consistent patching was mandated, admin access limited to actual need, and application whitelisting applied in critical areas.

Starlight

34 Posts

Thanks for the feedback, Starlight. There shouldn't be a business reason to allow these sorts of files. Malspam with these sorts of attachments can easily be blocked. Other botnet-based malspam sends zipped EXE files, which are also easily filtered. I look at this is another fairly futile attempt to spew more malware to the world's inboxes.

Brad

423 Posts
ISC Handler

Brad,

When normally executed would the user need to download the zip file, unzip the .js file and manually run the .js file or does infection occur automatically?

SasK

12 Posts

Sask,

Yes, the user would need to get the zip file from their email, extracted the .js file from the zip, then double-click on the .js file. If the .js file isn't run, the computer shouldn't become infected.

Brad

423 Posts
ISC Handler

If they can even see the ".js" because Microsoft nicely hides extensions. Or because their unzipper has the default column width too small as in "NewCreditCardApplicationApproval.js"

Or better yet, because their email system simply cannot open archive files so they just let them through. This one still astounds me in 2015.

And my favorite is disabling the built-in attachment extension blocking hat is part of Outlook "because people need to email those kinds of files". Yeah, no, they don't.

Just this week we got hit with the old ".exe in a .zip" from a HIPAA business associate, a big one in this area. We stopped them all at the gateway but they didn't even know until we called them.

Anonymous

Our job too often it to protect people from their own negligence. We were getting regular alerts from one senior manager. The person was not happy that we talked to her. The reply? "I'm too busy to read all of these emails. If there is a link in it I'm supposed to click it."

And my favorite? "You know me, I'm a clicker!"

Anonymous