Introduction In January 2015, the Asprox botnet switched from sending malware attachments to spamming pornography and diet-related scams [1]. Since then, we've noticed an increase is a different type of malicious spam (malspam). This malspam has zip attachments containing javascript files (.js), and it uses the same type of subject lines we saw from the Asprox botnet prior to 2015 [1]. We still see malspam using zipped .js attachments. One popular theme with this sort of malspam is fake resumes [2]. A reader sent us an example last week on Friday 2015-07-24 [3]. That example infected a computer with CryptoWall 3.0 when we checked it out in our lab environment. We saw a different malspam campaign on Monday 2015-07-27 deliver Kovter and Miuref/Boaxxe. The malspam As usual, botnet-based malspam comes from a variety of sources, and it uses variations for the subject line. There's no easy way to filter your queries when trying to retrieve this sort of malspam. After a bit of searching on Monday 2015-07-27, we found malspam spoofing E-ZPass toll charges, FedEx delivery, and a notice to appear in court. I gathered seven of these malspam examples. Details follow: Date/time: 2015-07-27 08:28 UTC Date/time: 2015-07-27 08:45 UTC Date/time: 2015-07-27 11:10 UTC Date/time: 2015-07-27 12:12 UTC Date/time: 2015-07-27 12:32 UTC Date/time: 2015-07-27 12:56 UTC Date/time: 2015-07-27 14:39 UTC The attachment Extract the .js file from the zip archive, and you'll find a highly obfuscated javascript. This is merely a javascript-based file downloader. Tools like jsdetox can deobfuscate the script for you. However, you can easily execute the .js file on a Windows virtual machine to find URLs for the malware. Below is a Wireshark display of traffic generated after executing all seven of the .js files found on 2015-07-27. The IP addresses and domains hosting the follow-up malware are:
The traffic I infected a Windows host in a lab environment with one of the .js files, E-ZPass_0000161034.doc.js (MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea). This provided a full infection chain of traffic. Three EXE files were downloaded by the .js file. We then saw HTTP POST requests associated with Kovter malware. Traffic also triggered an alert for Miuref/Boaxxe. Later in the pcap, we see click-fraud activity.
Below are alerts for the infection traffic using Security Onion with the EmergingThreats signature set. HTTP GET requests for the three EXE files happened first. All were identified as images in the HTTP response headers, but they were clearly executable files. Below is an example of callback traffic from the Kovter malware. Below is an example of callback traffic from Miuref/Boaxxe. Below is a Wireshark display for some of the click-fraud traffic seen. The malware Below are examples of EXE files from the infected host:
A pcap of the 2015-07-27 malspam infection traffic is available at: A zip file of the associated malware and sanitized malspam examples is available at: The zip file is password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. Final words Malspam with zipped .js attachments has continued since I first looked into it earlier this year. We're fairly certain this style of malspam will remain an issue. Most spam filters keep these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue to send malicious content to the world's inboxes, we should always remain aware of the current threat landscape. --- References: [1] https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/ |
Brad 399 Posts ISC Handler Jul 29th 2015 |
Thread locked Subscribe |
Jul 29th 2015 5 years ago |
Looking at the default attachment zapper in MimeDefang that I installed back in 2012, I see .js and .jse attachments are automatically sent to oblivion. Can't imagine any users complaining about that one.
IMO the Internet has become fairly safe, except for the careless and negligent. Sadly that appears to include a rather large slice of the population, including the US Office of Personnel Management and the US Census Bureau. The Australian government has deflected all attacks since 2012 when consistent patching was mandated, admin access limited to actual need, and application whitelisting applied in critical areas. |
Starlight 34 Posts |
Quote |
Jul 29th 2015 5 years ago |
Thanks for the feedback, Starlight. There shouldn't be a business reason to allow these sorts of files. Malspam with these sorts of attachments can easily be blocked. Other botnet-based malspam sends zipped EXE files, which are also easily filtered. I look at this is another fairly futile attempt to spew more malware to the world's inboxes.
|
Brad 399 Posts ISC Handler |
Quote |
Jul 29th 2015 5 years ago |
Brad,
When normally executed would the user need to download the zip file, unzip the .js file and manually run the .js file or does infection occur automatically? |
SasK 12 Posts |
Quote |
Jul 29th 2015 5 years ago |
Sask,
Yes, the user would need to get the zip file from their email, extracted the .js file from the zip, then double-click on the .js file. If the .js file isn't run, the computer shouldn't become infected. |
Brad 399 Posts ISC Handler |
Quote |
Jul 29th 2015 5 years ago |
If they can even see the ".js" because Microsoft nicely hides extensions. Or because their unzipper has the default column width too small as in "NewCreditCardApplicationApproval.js"
Or better yet, because their email system simply cannot open archive files so they just let them through. This one still astounds me in 2015. And my favorite is disabling the built-in attachment extension blocking hat is part of Outlook "because people need to email those kinds of files". Yeah, no, they don't. Just this week we got hit with the old ".exe in a .zip" from a HIPAA business associate, a big one in this area. We stopped them all at the gateway but they didn't even know until we called them. |
Anonymous |
Quote |
Jul 29th 2015 5 years ago |
Our job too often it to protect people from their own negligence. We were getting regular alerts from one senior manager. The person was not happy that we talked to her. The reply? "I'm too busy to read all of these emails. If there is a link in it I'm supposed to click it."
And my favorite? "You know me, I'm a clicker!" |
Anonymous |
Quote |
Jul 29th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!