Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC Stormcast For Friday, February 5th 2016 http://isc.sans.edu/podcastdetail.html?id=4855

A trip through the spam filters: more malspam with zip attachments containing .js files

Published: 2016-02-05
Last Updated: 2016-02-05 04:34:15 UTC
by Brad Duncan (Version: 1)
3 comment(s)

Introduction

I was discussing malicious spam (malspam) with a fellow security professional earlier this week.  He was examining malspam with zip attachments containing .js files.  This is something I've covered previously in ISC diaries [1, 2].  However, the traffic patterns he saw was somewhat different than I've seen, so I figured it's time to revisit this type of malspam.

Details

This particular wave of .js malspam started on Wednesday 2016-02-03, and these emails were reported by My Online Security the same day [3].  We continued to see this malspam on Thursday 2016-02-04.

I found 13 messages with the following subject lines during the past two days:

  • Problem with the Order, Reference: #117931 
  • Problem with the Order, Reference: #469155 
  • Problem with Your Order, Reference: #543361 
  • Problem with Your Purchase, Reference: #629146 
  • Problem with Your Purchase, Reference: #913251 
  • Problems with the Purchase, Reference Number #568643 
  • Problems with Your Purchase, Reference Number #199837 
  • Problems with Your Purchase, Reference Number #797440 
  • Problems with Your Purchase, Reference: #113736 
  • Troubles with the Order, Reference: #719684 
  • Troubles with the Purchase, Reference Number #459991 
  • Troubles with the Purchase, Reference Number #529057 
  • Troubles with Your Order, Reference: #987848 

Attachments names were different for each of the 13 messages:

  • Ali Washington.zip
  • Cary Harris.zip
  • Dino Hayden.zip
  • Garth Porter.zip
  • Hans Fitzgerald.zip
  • Harold Walter.zip
  • Leonel Mcneil.zip
  • Marc Harding.zip
  • Nickolas Baldwin.zip
  • Romeo Wright.zip
  • Stanley Floyd.zip
  • Ted Fields.zip
  • Ward Shea.zip

Each of the attachments were zip files that contained a .js file.  The .js file is typically launched by Windows Script Host (wscript.exe) when the file is double-clicked on a Windows desktop.

The script in these .js files is highly-obfuscated.  ISC Handler Xavier Mertens wrote a diary on how to examine these scripts [4]; however, I prefer to execute the .js files and see where the traffic takes us.

Traffic and malware

Each of the scripts tried to download and execute three malware items.  The HTTP requests were:

  • csonegame.com - GET /img/script.php?wndz1.jpg
  • csonegame.com - GET /img/script.php?wndz2.jpg
  • csonegame.com - GET /img/script.php?wndz3.jpg

I tried all 13 of the extracted .js files and saw the same URL patterns.

Unfortunately, by the time I ran these .js files, the malware was no longer avialable.

Fortunately, others had already ran the malware through different online tools, and I was able to find all three items downloaded by the .js files.

script.php_wndz1.jpg - 255.5 KB (261,632 bytes) -  File type: Windows EXE

script.php_wndz2.jpg - 159.5 KB (163,328 bytes) -  File type: Windows EXE

script.php_wndz3.jpg -  84.5 KB (86,528 bytes) -  File type: Windows EXE

Based on the callback traffic reported on the first sample, that file appears to be CryptoWall.  I haven't had the time to dig into the other two items.

Final words

The malspam and malware samples can be found here.  My thanks to Chris, who emailed me about this most recent wave of malspam.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[2] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[3] http://myonlinesecurity.co.uk/congratulations-your-order-has-been-shipped-out-parcel-441467-js-malware/ 
[4] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619/

Keywords:
3 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Fake Adobe Flash Update OS X Malware
2 days ago by Johannes (4 comments)

EMET 5.5 Released
3 days ago by Xme (2 comments)

Automating Vulnerability Scans
3 days ago by Xme (2 comments)

Targeted IPv6 Scans Using pool.ntp.org .
4 days ago by Johannes (0 comments)

Windows 10 and System Protection for DATA Default is OFF
5 days ago by Guy (3 comments)

OpenSSL 1.0.2 Advisory and Update
5 days ago by Guy (0 comments)

All CVE Details at Your Fingertips
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Gmail Password Problem
created 4 days ago by wysywindowslive.com (0 replies)

Examples of data returned via successful SQL injection
created 1 week ago by GuyMontag (1 reply)

Newbie to Honeypot's
created 1 week ago by ZiggyRI (0 replies)

Manually cleaning web-browsers
created 1 week ago by Teemu (0 replies)

Malicious redirect using Pastebin
created 2 weeks ago by S (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries

December 2015 Microsoft Patch Tuesday
1 month ago by Johannes (19 comments)

A recent example of wire transfer fraud
1 month ago by Brad (13 comments)

Infocon Yellow: Juniper Backdoor (CVE-2015-7755 and CVE-2015-7756)
1 month ago by Johannes (4 comments)

Virtual Bitlocker Containers
4 weeks ago by Xme (10 comments)

Dridex malspam example from January 2016
1 week ago by Brad (10 comments)