2015-09-16 update: Paul Burbage at Phish Me also published a write-up about this on Friday 2015-09-11 at: http://phishme.com/a-peek-inside-an-affiliates-malspam-operation-kovter-and-miurefboaxxe-infections/ Introduction On 2015-07-29, the ISC published a diary covering malicious spam (malspam) with zip archives of javascript (.js) files [1]. Since then, we've received notifications from others who have found this type of malspam. Let's revisit the spam filters, search for this type of email, and see if anything has changed. Background Although zipped .js attachments in malspam is nothing new, we noticed a significant increase since January 2015. This appears to be botnet-based malspam, and we've noticed different payloads as the second-stage download after running the .js file. A few points to make, before we proceed:
As long as your organization's network is administered correctly, there's no real chance of infection. Which begs a question. Why do we still see this malspam every day? The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it? The malspam We searched our spam filters for the past week and found five different themes used for this malspam:
The ones we've discovered so far have all been plain-text messages with zip attachments containing .js files. They're fairly easy to identify.
Below are screenshots showing some of the themes we saw from this malspam during the past week: We gathered eight malspam examples from the past few days. Details follow: Date: Thursday, 2015-09-08 11:44 UTC Date: Tuesday, 2015-09-08 23:38 UTC Date: Thursday, 2015-09-10 07:45 UTC Date: Saturday, 2015-09-12 21:52 UTC Date: Monday, 2015-09-14 23:15 UTC Date: Tuesday, 2015-09-15 06:03 UTC Date: Tuesday, 2015-09-15 11:20 UTC Date: Tuesday, 2015-09-15 13:03 UTC The attachment Extract the .js file from the zip archive, and you'll still find highly-obfuscated javascript. Just like last time, this is merely a javascript-based file downloader. We executed several of the .js files on a Windows host so we could find URLs for the follow-up malware. Below is a Wireshark display of traffic we generated. IP addresses and domains hosting the follow-up malware were:
NOTE: Domains with ** hosted malware for other .js malspam as noted in our previous diary covering this subject on 2015-07-29. The traffic We infected a Windows host in a lab environment with the most recent sample of .js malware, 00000106406.doc.js (MD5 hash: 0835c11379f639ec460bce73703cfe3a). This provided a full infection chain of traffic. Like last time, three .exe files were downloaded by the .js file. Post infection traffic triggered alerts for Corebot, Miuref/Boaxxe, and Kovter.B malware.
Below are alerts on the infection traffic using Security Onion with the EmergingThreats signature set. HTTP GET requests for the three .exe files happened first. All were identified as .gif images in the HTTP response headers, but they were clearly executable files. Feel free to dig into the traffic for more details. A link to download the pcap is included in the final words for this diary. The malware Below are samples of .exe files downloaded to our infected lab host: File name: 2015-09-15-js-malware-first-download.exe
File name: 2015-09-15-js-malware-second-download.exe
File name: 2015-09-15-js-malware-third-download.exe
Final words We haven't noticed any significant change after comparing this malspam to our previous diary about it on 2015-07-29. Assuming people continue to get infected by the malspam, we will likely continue to see it caught by our spam filters. Most spam filters prevent these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue trying to flood the world's inboxes with malicious content, we should always remain aware of the current threat landscape. Below are links for the associated files. A .csv spreadsheet with some dates, times (CDT), senders, and subject lines of the malspam for this diary: A zip archive containing eight sanitized examples of the malspam (.eml files) used for this diary: A pcap of the 2015-09-15 infection traffic: A zip archive of the associated malware: The zip archives are password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. --- References: |
Brad 436 Posts ISC Handler Sep 16th 2015 |
Thread locked Subscribe |
Sep 16th 2015 6 years ago |
Just a minor correction in that Java is not required to be installed to execute the .js downloader, but instead is typically launched by Windows Script Host (wscript.exe) when the .js file is double-clicked.
|
Deepfreeze 1 Posts |
Quote |
Sep 16th 2015 6 years ago |
Thanks, Deepfreeze.
You'll find the diary revised as we speak. Someone else also pointed that out to me earlier, so I updated it. I'd been getting java mixed up with Javascript and the Windows script host (should've known better). Thanks again, - Brad |
Brad 436 Posts ISC Handler |
Quote |
Sep 16th 2015 6 years ago |
We've seen fake job applications, with the supposed CV attached. We do block .JS files (even inside .ZIP) - but they sometimes come inside .HTML files and they can be harder to filter as there are a lot of reports in .HTML file format going around.
It really must be hard for the HR staff to sift through the "jobs@" / "career@" mailboxes to find gold amidst all the rubble and malicious content. |
dotBATman 70 Posts |
Quote |
Sep 16th 2015 6 years ago |
You forgot two (or three) more points why an infection requires a REALLY ignorant user:
* Windows displays a warning when the user double-clicks the *.ZIP since the attachment manager (introduced about 11 years ago with XP SP2, see https://support.microsoft.com/en-us/kb/883260) adds a mark-of-the-web alias "zone identifier" (see http://blogs.msdn.com/b/ieinternals/archive/2012/06/20/loading-local-files-in-enhanced-protected-mode-in-internet-explorer-10.aspx, http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx or http://blogs.msdn.com/b/oldnewthing/archive/2013/11/04/10463035.aspx) when the *.ZIP is stored on disk; * Windows displays another warning when the user tries to extract files from a *.ZIP with a mark-of-the-web; * Windows displays a third warning when the user double-clicks the extracted *.JS since this too carries a mark-of-the-web. |
Anonymous |
Quote |
Sep 16th 2015 6 years ago |
Very good article Brad. Always learn from you.
Spam emails are also part of my research. Few things I always look for : 1. Sender domain 2. Language and grammar of the email. 3. Attachment names After than the investigation starts using tools such as wireshark, security onion etc. I am still learning and your blogs always helps. @Anonymous - humans is the highest threat to an organisation and can easily be manipulated due to lack of education or awareness. I believe this is not their ignorance however fear/paranoia that they may have made a mistake unknowingly or victim of a crime such as your credit card has been used. As security or cyber attack news have been pounded on the people, it is obvious that in the name of being safe they tend to go towards non-safe. And not all are windows users. |
makflwana 17 Posts |
Quote |
Sep 17th 2015 6 years ago |
Just to add: Sanesecurity.Malware.25668.JsHeur is now picking these up using ClamAV 3rd party signatures.
Thanks for the samples. Cheers, Steve Sanesecurity.com |
Sanesecurity 21 Posts |
Quote |
Sep 17th 2015 6 years ago |
"And not all are windows users."
Since the malspam targets only Windows and Brad enumerated some of the obstacles provided there, but forgot three in his enumeration, I felt free to add them. JFTR: there a similar obstacles for users of other operating systems to overcome when they want to execute a *.JS. - most MUAs block possible malware, especially "executable" files, i.e. they dont allow to save these attachments; - new files are not "executable" per default; - mount -onoexec /home; - SELinux or equivalents exist. |
Anonymous |
Quote |
Sep 17th 2015 6 years ago |
The reason why an "ignorant " user will click through and ignore warnings is because Windows encourages them to do so
Windows by default will hide file extensions. These malicious JS files will pretend to be a doc file to the user ( although the icon will be clearly displayed) Users do not rely on icons but file names to see what the file is. A harried, busy small business user or consumer will always click to open ANYTHING that their antivirus doesn't detect. That is why we see so may infected users The vast majority ignore warning from windows because they are fed up with them. UAC prompts are a particualr one that gets ignored or turned off, becaue theya re so common |
DVK01 21 Posts |
Quote |
Sep 18th 2015 6 years ago |
> The reason why an "ignorant " user will click through and
> ignore warnings is because Windows encourages them to do so I dont call 3 warnings an encouragement! > Windows by default will hide file extensions. These malicious > JS files will pretend to be a doc file to the user ( although > the icon will be clearly displayed) Users do not rely on icons > but file names to see what the file is. Right. But they SHOULD notice the warnings! JFTR: you have been warned. > A harried, busy small business user or consumer will always > click to open ANYTHING that their antivirus doesn't detect. > That is why we see so may infected users Which but clearly shows that antivirus is utterly useless. > The vast majority ignore warning from windows because they are > fed up with them. UAC prompts are a particualr one that gets > ignored or turned off, becaue theya re so common Neither UAC nor SRP/AppLocker can be turned off by a standard user! As Brad wrote: SRP/AppLocker definitively stops (not only) this kind of malware. Unless Microsoft creates only standard user accounts and enables SRP Windows is defective: in its default configuration it does not comply with the accepted technical standards (which in quite some countries is required by law and can be enforced legally) of "user/privilege separation" and "write^execute". Return this defective product to your local supplier and ask for a refund! |
Anonymous |
Quote |
Sep 18th 2015 6 years ago |
Brad
revisiting this topic because there is a massive increase again this Month ( October 2015) of fedex malspam with these JS atatchments. One thing that has not been mentioned anywhere else is the downloaded malware from the js file has an invalid/stolen/damaged digital signature see http://myonlinesecurity.co.uk/fedex-international-next-flight-shipment-delivery-problem-js-malware/ Over the last month of so we have noticed many of the files having a invalid/stolen/damaged digital signature frequently from an antivirus company. The interesting thing to note is that the 87761567.exe has a stolen digital signature from CJSC Computing Forces, which at least in Internet Explorer, Smart Filter warns about an invalid digital signature but does not block the file from being downloaded or run. However the malware file is originally downloaded as a .gif although it is an executable file. It does contain the damaged/invalid/stolen digital signature but smart screen does not alert on the signature inside a gif only on a .exe file. The fake gif that is downloaded is converted by the .js file to a .exe file, so if a user happens to see a gif being downloaded, they think it is a legitimate picture. If I download the .exe from MALWR I get the smart screen warning. If I download direct via a browser form the infected site as a gif, I do not get any smart screen warning. This is a risk for a user and something Microsoft needs to look at with smart screen. |
DVK01 21 Posts |
Quote |
Oct 4th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!