Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Malicious spam with zip attachments containing .js files - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious spam with zip attachments containing .js files

2015-09-16 update:  Paul Burbage at Phish Me also published a write-up about this on Friday 2015-09-11 at: http://phishme.com/a-peek-inside-an-affiliates-malspam-operation-kovter-and-miurefboaxxe-infections/

Introduction

On 2015-07-29, the ISC published a diary covering malicious spam (malspam) with zip archives of javascript (.js) files [1].  Since then, we've received notifications from others who have found this type of malspam.  Let's revisit the spam filters, search for this type of email, and see if anything has changed.

Background

Although zipped .js attachments in malspam is nothing new, we noticed a significant increase since January 2015.  This appears to be botnet-based malspam, and we've noticed different payloads as the second-stage download after running the .js file.

A few points to make, before we proceed:

  • This malspam appears to target Windows computers.
  • The extracted file is Javascript-based, and the infection requires user action.
  • The user must open the zip attachment, extract the .js file, and manually run the .js file.
  • A properly-administered Windows host using software restriction policies should prevent an infection.
  • A properly-administered spam filter will prevent this type of malspam from reaching the recipient's inbox.

As long as your organization's network is administered correctly, there's no real chance of infection.  Which begs a question.  Why do we still see this malspam every day?

The answer?  We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation.  Why else would we still see it?

The malspam

We searched our spam filters for the past week and found five different themes used for this malspam:

  • American Airline e-tickets
  • Charge for driving on a toll road
  • FedEx delivery notification
  • IRS tax refunds
  • Notices to appear in court

The ones we've discovered so far have all been plain-text messages with zip attachments containing .js files.  They're fairly easy to identify.


Shown above: A list of some .js malspam caught by our spam filters during the past few days.

Below are screenshots showing some of the themes we saw from this malspam during the past week:

We gathered eight malspam examples from the past few days.  Details follow: 

Date: Thursday, 2015-09-08 11:44 UTC
From: E-ZPass Manager ( arnold.savage@199.195.117.231.static.a2webhosting.com )
Subject: Payment for driving on toll road, invoice #00000893738
Attachment: E-ZPass_00000893738.zip - MD5 hash: 687141bd2a548889cd2cd7c59c5cd425
Extracted file: E-ZPass_00000893738.doc.js - MD5 hash: e1d4b1ec9717ae9aed02c1c5395ffc1b

Date: Tuesday, 2015-09-08 23:38 UTC
From: FedEx Ground ( armando.madden@liastudio.ru )
Subject: Courier was unable to deliver the parcel, ID00524666
Attachment: Delivery_Notification_00524666.zip - MD5 hash: 06868d58f113c9b746acfbf51b25b1a8
Extracted file: Delivery_Notification_00524666.doc.js - MD5 hash: 1ad9f4f8e051fa5bada2c1b57dbc5c24

Date: Thursday, 2015-09-10 07:45 UTC
From: District Court ( glen.bartlett@judcred.org.br )
Subject: Notice of appearance in Court #00000516375
Attachment: 00000516375.zip - MD5 hash: 2403b4b255ca3b84e0ff4fd43b8b6c99
Extracted file: 00000516375.doc.js - MD5 hash: 06b5e08e8c943d8440baf4148bd2b14f

Date: Saturday, 2015-09-12 21:52 UTC
From: America Airlines ( orders@aa.com ) - spoofed sender
Subject: Ticket information regarding your order #000735142
Attachment: 00735142.zip - MD5 hash: 85605e67e3afdfc2b9d8d0864b1f0891
Extracted file: 000735142.doc.js - MD5 hash: b4a2d86ee289780ea42882bdcfbf22c8

Date: Monday, 2015-09-14 23:15 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: New payment for tax refund #0000333948
Attachment: Refund_Payment_Details_0000333948.zip - MD5 hash: 54f889567831ed6ae987ef7afb225796
Extracted file: Refund_Payment_Details_0000333948.doc.js - MD5 hash: 733d87c6703bcaf2639a08bb7a011e3e

Date: Tuesday, 2015-09-15 06:03 UTC
From: ( quadernc@webhosting1100.interserver.net ) on behalf of Internal Revenue Service ( office@irs.gov )
Subject: New payment for tax refund #000346071
Attachment: Refund_Payment_Details_000346071.zip - MD5 hash: 774e8165338e3d06b7bf192951308148
Extracted file: Refund_Payment_Details_000346071.doc.js - MD5 hash: 5483e0b8a4ef2ade0f5b1e0d085ef2a3

Date: Tuesday, 2015-09-15 11:20 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: Payment for tax refund #000200199
Attachment: Tax_Refund_000200199.zip - MD5 hash: 652a1bf18ef1a914cbbe91fde63c98d6
Extracted file: Tax_Refund_000200199.doc.js - MD5 hash: ec3de6bcb421d482242d95b055f49ce0

Date: Tuesday, 2015-09-15 13:03 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: Payment for tax refund #00000106406
Attachment: 00000106406.zip - MD5 hash: 079c91fce37f0b2ec37178795455e43a
Extracted file: 00000106406.doc.js - MD5 hash: 0835c11379f639ec460bce73703cfe3a

The attachment

Extract the .js file from the zip archive, and you'll still find highly-obfuscated javascript.  Just like last time, this is merely a javascript-based file downloader.

We executed several of the .js files on a Windows host so we could find URLs for the follow-up malware.  Below is a Wireshark display of traffic we generated.

IP addresses and domains hosting the follow-up malware were:

  • 64.239.115.111 - 64.239.115.111 (no domain name)
  • 67.195.61.46 - ayuso-arch.com **
  • 66.147.242.176 - bisstt.com
  • 199.175.49.19 - crossfitrepscheme.com
  • 72.20.64.58 - dickinsonwrestlingclub.com
  • 174.36.231.69 - dominaeweb.com
  • 96.31.36.46 - idsecurednow.com
  • 50.116.104.205 - ihaveavoice2.com **
  • 208.43.65.115 - laterrazzafiorita.it
  • 76.74.242.190 - les-eglantiers.fr
  • 23.91.123.160 - leikkihuone.com
  • 174.137.191.22 - selmaryachtmarket.com **
  • 69.89.31.73 - syscomm.smartlanka.net

NOTE: Domains with ** hosted malware for other .js malspam as noted in our previous diary covering this subject on 2015-07-29.

The traffic

We infected a Windows host in a lab environment with the most recent sample of .js malware, 00000106406.doc.js (MD5 hash: 0835c11379f639ec460bce73703cfe3a).  This provided a full infection chain of traffic.  Like last time, three .exe files were downloaded by the .js file.  Post infection traffic triggered alerts for Corebot, Miuref/Boaxxe, and Kovter.B malware.


Click on the above image for a full-size view.

Below are alerts on the infection traffic using Security Onion with the EmergingThreats signature set.

HTTP GET requests for the three .exe files happened first.  All were identified as .gif images in the HTTP response headers, but they were clearly executable files.  

Feel free to dig into the traffic for more details.  A link to download the pcap is included in the final words for this diary.

The malware

Below are samples of .exe files downloaded to our infected lab host:

File name:  2015-09-15-js-malware-first-download.exe

  • File size:  305.0 KB ( 312,360 bytes )
  • MD5 hash:  41959be39cf634fa4344396940d680c7
  • SHA1 hash:  a4c6b301e62a67ba28d2ae4347093c80c25dac89
  • SHA256 hash:  462a93d028eca2e116cf8818f6b299adba372895eeffb71f7ffbd95347f939fe
  • Detection ratio:  12 / 56
  • Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

File name:  2015-09-15-js-malware-second-download.exe

  • File size:  127.6 KB ( 130,680 bytes )
  • MD5 hash:  56451b5b6ff6f9cbfeb221b80943f75f
  • SHA1 hash:  298bc25dc9a55590ae002b255b384c478163d0c8
  • SHA256 hash:  853b50ac132100c8176229d5144716b8b86033293bce4064ecfd7107cea8e3ec
  • Detection ratio:  0 / 56
  • Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

File name:  2015-09-15-js-malware-third-download.exe

  • File size:  453.5 KB ( 464,384 bytes )
  • MD5 hash:  6b83ab0582fb59e89c090ec91b31db7a
  • SHA1 hash:  06a8713fe2dacfc0d59345b0a3317154a961a68b
  • SHA256 hash:  d567404c7ec78e23a5661fbc242d15107f9327a810ffc241c338e39487448979
  • Detection ratio:  3 / 56
  • Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

Final words

We haven't noticed any significant change after comparing this malspam to our previous diary about it on 2015-07-29.  Assuming people continue to get infected by the malspam, we will likely continue to see it caught by our spam filters.  

Most spam filters prevent these messages from getting to their intended recipients, but filters are never a full-proof method.  As botnets continue trying to flood the world's inboxes with malicious content, we should always remain aware of the current threat landscape.

Below are links for the associated files.

A .csv spreadsheet with some dates, times (CDT), senders, and subject lines of the malspam for this diary:

A zip archive containing eight sanitized examples of the malspam (.eml files) used for this diary:

A pcap of the 2015-09-15 infection traffic:

A zip archive of the associated malware:

The zip archives are password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/

Brad

259 Posts
ISC Handler
Just a minor correction in that Java is not required to be installed to execute the .js downloader, but instead is typically launched by Windows Script Host (wscript.exe) when the .js file is double-clicked.
Deepfreeze

1 Posts Posts
Thanks, Deepfreeze.

You'll find the diary revised as we speak. Someone else also pointed that out to me earlier, so I updated it. I'd been getting java mixed up with Javascript and the Windows script host (should've known better).

Thanks again,

- Brad
Brad

259 Posts Posts
ISC Handler
We've seen fake job applications, with the supposed CV attached. We do block .JS files (even inside .ZIP) - but they sometimes come inside .HTML files and they can be harder to filter as there are a lot of reports in .HTML file format going around.

It really must be hard for the HR staff to sift through the "jobs@" / "career@" mailboxes to find gold amidst all the rubble and malicious content.
dotBATman

58 Posts Posts
You forgot two (or three) more points why an infection requires a REALLY ignorant user:
* Windows displays a warning when the user double-clicks the *.ZIP since the attachment manager (introduced about 11 years ago with XP SP2, see https://support.microsoft.com/en-us/kb/883260) adds a mark-of-the-web alias "zone identifier" (see http://blogs.msdn.com/b/ieinternals/archive/2012/06/20/loading-local-files-in-enhanced-protected-mode-in-internet-explorer-10.aspx, http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx or http://blogs.msdn.com/b/oldnewthing/archive/2013/11/04/10463035.aspx) when the *.ZIP is stored on disk;
* Windows displays another warning when the user tries to extract files from a *.ZIP with a mark-of-the-web;
* Windows displays a third warning when the user double-clicks the extracted *.JS since this too carries a mark-of-the-web.
Anonymous

Posts
Very good article Brad. Always learn from you.

Spam emails are also part of my research. Few things I always look for :

1. Sender domain
2. Language and grammar of the email.
3. Attachment names

After than the investigation starts using tools such as wireshark, security onion etc. I am still learning and your blogs always helps.

@Anonymous - humans is the highest threat to an organisation and can easily be manipulated due to lack of education or awareness. I believe this is not their ignorance however fear/paranoia that they may have made a mistake unknowingly or victim of a crime such as your credit card has been used. As security or cyber attack news have been pounded on the people, it is obvious that in the name of being safe they tend to go towards non-safe. And not all are windows users.
makflwana

17 Posts Posts
Just to add: Sanesecurity.Malware.25668.JsHeur is now picking these up using ClamAV 3rd party signatures.

Thanks for the samples.

Cheers,

Steve
Sanesecurity.com
Sanesecurity

21 Posts Posts
"And not all are windows users."

Since the malspam targets only Windows and Brad enumerated some of the obstacles provided there, but forgot three in his enumeration, I felt free to add them.

JFTR: there a similar obstacles for users of other operating systems to overcome when they want to execute a *.JS.

- most MUAs block possible malware, especially "executable" files, i.e. they dont allow to save these attachments;
- new files are not "executable" per default;
- mount -onoexec /home;
- SELinux or equivalents exist.
Anonymous

Posts
The reason why an "ignorant " user will click through and ignore warnings is because Windows encourages them to do so
Windows by default will hide file extensions. These malicious JS files will pretend to be a doc file to the user ( although the icon will be clearly displayed) Users do not rely on icons but file names to see what the file is.

A harried, busy small business user or consumer will always click to open ANYTHING that their antivirus doesn't detect. That is why we see so may infected users

The vast majority ignore warning from windows because they are fed up with them. UAC prompts are a particualr one that gets ignored or turned off, becaue theya re so common
DVK01

18 Posts Posts
> The reason why an "ignorant " user will click through and
> ignore warnings is because Windows encourages them to do so

I dont call 3 warnings an encouragement!

> Windows by default will hide file extensions. These malicious
> JS files will pretend to be a doc file to the user ( although
> the icon will be clearly displayed) Users do not rely on icons
> but file names to see what the file is.

Right. But they SHOULD notice the warnings!
JFTR: you have been warned.

> A harried, busy small business user or consumer will always
> click to open ANYTHING that their antivirus doesn't detect.
> That is why we see so may infected users

Which but clearly shows that antivirus is utterly useless.

> The vast majority ignore warning from windows because they are
> fed up with them. UAC prompts are a particualr one that gets
> ignored or turned off, becaue theya re so common

Neither UAC nor SRP/AppLocker can be turned off by a standard user!
As Brad wrote: SRP/AppLocker definitively stops (not only) this kind of malware.

Unless Microsoft creates only standard user accounts and enables SRP Windows is defective: in its default configuration it does not comply with the accepted technical standards (which in quite some countries is required by law and can be enforced legally) of "user/privilege separation" and "write^execute". Return this defective product to your local supplier and ask for a refund!
Anonymous

Posts
Brad
revisiting this topic because there is a massive increase again this Month ( October 2015) of fedex malspam with these JS atatchments. One thing that has not been mentioned anywhere else is the downloaded malware from the js file has an invalid/stolen/damaged digital signature
see http://myonlinesecurity.co.uk/fedex-international-next-flight-shipment-delivery-problem-js-malware/
Over the last month of so we have noticed many of the files having a invalid/stolen/damaged digital signature frequently from an antivirus company.


The interesting thing to note is that the 87761567.exe has a stolen digital signature from CJSC Computing Forces, which at least in Internet Explorer, Smart Filter warns about an invalid digital signature but does not block the file from being downloaded or run. However the malware file is originally downloaded as a .gif although it is an executable file. It does contain the damaged/invalid/stolen digital signature but smart screen does not alert on the signature inside a gif only on a .exe file. The fake gif that is downloaded is converted by the .js file to a .exe file, so if a user happens to see a gif being downloaded, they think it is a legitimate picture. If I download the .exe from MALWR I get the smart screen warning. If I download direct via a browser form the infected site as a gif, I do not get any smart screen warning. This is a risk for a user and something Microsoft needs to look at with smart screen.
DVK01

18 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!