Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Mon, Aug 29th):Block ZIPped Javascript Now!

Latest Diaries

Spam with Obfuscated Javascript

Published: 2016-08-28
Last Updated: 2016-08-28 22:07:38 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

We all receive spam of all kind, some with malicious URL and other with strange files attachments. This week we have been receiving several java scripts as email attachments and most of them with malicious intent. I picked one of the many files received and (after unzipping the file twice) checked the MD5 hash in Virustotal, this file was never submitted. The script is well obfuscated but after submitting the sample to Virustotal, it shows this javascript as JS/Nemucod and is used to download ransomware and information stealing malware.

5042.js Javascript Partial Snapshot

Using this javascript beautifier[5], it help make some sense of what this script is attempting to do. It is now much easier read the script and see the variables:

Some ways to protect against malicious email attachments:

- First step is to verify what your organization allows through the enterprise anti-malware gateway
- Delete or report to the security team any attachments which contains .exe but there are other files that can be malicious such as  .bat, .cmd, .com, .cpl, .hta, .jar, .js, .msi, .pif, .reg. This list is not exhaustive
- Office or PDF documents received from unknown senders, they could contain malware
- Fake extensions or "double extensions" (i.e. .exe.jpg)

Last, obviously, nothing is foolproof, if unsure ask your security team to check the file.

[1] https://www.virustotal.com/en/file/1f7b32e6db703817cab6c2f7cb8874d17af9d707ce17579dc30aee2cdadf082f/analysis/1472406596/
[2] d4f9a9841d0b369dfe1a9a7f2f71a14e  crlxa15dd4e.zip
[2] d1c5211c76b35b1bbc1b51b36a34228d  5042.zip
[3] 8f690b5b5e2be8d242bf48dad4e2038e  5042.js
[4] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
[5] http://jsbeautifier.org/
[6] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Another Day - Another Ransomware Sample
2 days ago by Dr. J. (1 comment)

Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities
3 days ago by Xme (0 comments)

Example of Targeted Attack Through a Proxy PAC File
3 days ago by Xme (6 comments)

New VMware Patches VMSA-2016-0009.4 VMSA-2016-0013 http://www.vmware.com/security/advisories.html
4 days ago by Tom (0 comments)

Stay on Track During IR
4 days ago by Tom (2 comments)

Voice Message Notifications Deliver Ransomware
5 days ago by Xme (5 comments)

Red Team Tools Updates: hashcat and SpiderFoot
6 days ago by Russ McRee (0 comments)

View All Diaries →

Latest Discussions

New telnet attack? command injection against telnet...
created 4 days ago by EricWedaa (2 replies)

SWIFT frauds
created 4 days ago by RAJASEKHARAN (0 replies)

IS Audit of DC and DR
created 4 days ago by RAJASEKHARAN (0 replies)

Unix/Linux servers
created 4 days ago by RAJASEKHARAN (0 replies)

AliExpress being used as C&C for DoS?
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

Data Classification For the Masses
1 week ago by Xme (14 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
3 weeks ago by Rob VandenBrink (2 comments)

Voice Message Notifications Deliver Ransomware
5 days ago by Xme (5 comments)