Malicious spam with zip attachments containing .js files

Malicious spam with zip attachments containing .js files
2015-09-16 update: Paul Burbage at Phish Me also published a write-up about this on Friday 2015-09-11 at: http://phishme.com/a-peek-inside-an-affiliates-malspam-operation-kovter-and-miurefboaxxe-infections/ Introduction On 2015-07-29, the ISC published a diary covering malicious spam (malspam) with zip archives of javascript (.js) files [1]. Since then, we've received notifications from others who have found this type of malspam. Let's revisit the spam filters, search for this type of email, and see if anything has changed. Background Although zipped .js attachments in malspam is nothing new, we noticed a significant increase since January 2015. This appears to be botnet-based malspam, and we've noticed different payloads as the second-stage download after running the .js file. A few points to make, before we proceed: This malspam appears to target Windows computers. The extracted file is Javascript-based, and the infection requires user action. The user must open the zip attachment, extract the .js file, and manually run the .js file. A properly-administered Windows host using software restriction policies should prevent an infection. A properly-administered spam filter will prevent this type of malspam from reaching the recipient's inbox. As long as your organization's network is administered correctly, there's no real chance of infection. Which begs a question. Why do we still see this malspam every day? The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it? The malspam We searched our spam filters for the past week and found five different themes used for this malspam: American Airline e-tickets Charge for driving on a toll road FedEx delivery notification IRS tax refunds Notices to appear in court The ones we've discovered so far have all been plain-text messages with zip attachments containing .js files. They're fairly easy to identify. Shown above: A list of some .js malspam caught by our spam filters during the past few days. Below are screenshots showing some of the themes we saw from this malspam during the past week: We gathered eight malspam examples from the past few days. Details follow: Date: Thursday, 2015-09-08 11:44 UTC From: E-ZPass Manager ( arnold.savage@199.195.117.231.static.a2webhosting.com ) Subject: Payment for driving on toll road, invoice #00000893738 Attachment: E-ZPass_00000893738.zip - MD5 hash: 687141bd2a548889cd2cd7c59c5cd425 Extracted file: E-ZPass_00000893738.doc.js - MD5 hash: e1d4b1ec9717ae9aed02c1c5395ffc1b Date: Tuesday, 2015-09-08 23:38 UTC From: FedEx Ground ( armando.madden@liastudio.ru ) Subject: Courier was unable to deliver the parcel, ID00524666 Attachment: Delivery_Notification_00524666.zip - MD5 hash: 06868d58f113c9b746acfbf51b25b1a8 Extracted file: Delivery_Notification_00524666.doc.js - MD5 hash: 1ad9f4f8e051fa5bada2c1b57dbc5c24 Date: Thursday, 2015-09-10 07:45 UTC From: District Court ( glen.bartlett@judcred.org.br ) Subject: Notice of appearance in Court #00000516375 Attachment: 00000516375.zip - MD5 hash: 2403b4b255ca3b84e0ff4fd43b8b6c99 Extracted file: 00000516375.doc.js - MD5 hash: 06b5e08e8c943d8440baf4148bd2b14f Date: Saturday, 2015-09-12 21:52 UTC From: America Airlines ( orders@aa.com ) - spoofed sender Subject: Ticket information regarding your order #000735142 Attachment: 00735142.zip - MD5 hash: 85605e67e3afdfc2b9d8d0864b1f0891 Extracted file: 000735142.doc.js - MD5 hash: b4a2d86ee289780ea42882bdcfbf22c8 Date: Monday, 2015-09-14 23:15 UTC From: Internal Revenue Service ( office@irs.gov ) - spoofed sender Subject: New payment for tax refund #0000333948 Attachment: Refund_Payment_Details_0000333948.zip - MD5 hash: 54f889567831ed6ae987ef7afb225796 Extracted file: Refund_Payment_Details_0000333948.doc.js - MD5 hash: 733d87c6703bcaf2639a08bb7a011e3e Date: Tuesday, 2015-09-15 06:03 UTC From: ( quadernc@webhosting1100.interserver.net ) on behalf of Internal Revenue Service ( office@irs.gov ) Subject: New payment for tax refund #000346071 Attachment: Refund_Payment_Details_000346071.zip - MD5 hash: 774e8165338e3d06b7bf192951308148 Extracted file: Refund_Payment_Details_000346071.doc.js - MD5 hash: 5483e0b8a4ef2ade0f5b1e0d085ef2a3 Date: Tuesday, 2015-09-15 11:20 UTC From: Internal Revenue Service ( office@irs.gov ) - spoofed sender Subject: Payment for tax refund #000200199 Attachment: Tax_Refund_000200199.zip - MD5 hash: 652a1bf18ef1a914cbbe91fde63c98d6 Extracted file: Tax_Refund_000200199.doc.js - MD5 hash: ec3de6bcb421d482242d95b055f49ce0 Date: Tuesday, 2015-09-15 13:03 UTC From: Internal Revenue Service ( office@irs.gov ) - spoofed sender Subject: Payment for tax refund #00000106406 Attachment: 00000106406.zip - MD5 hash: 079c91fce37f0b2ec37178795455e43a Extracted file: 00000106406.doc.js - MD5 hash: 0835c11379f639ec460bce73703cfe3a *The attachment* Extract the .js file from the zip archive, and you'll still find highly-obfuscated javascript. Just like last time, this is merely a javascript-based file downloader. We executed several of the .js files on a Windows host so we could find URLs for the follow-up malware. Below is a Wireshark display of traffic we generated. IP addresses and domains hosting the follow-up malware were: 64.239.115.111 - 64.239.115.111 (no domain name) 67.195.61.46 - ayuso-arch.com 66.147.242.176 - bisstt.com 199.175.49.19 - crossfitrepscheme.com 72.20.64.58 - dickinsonwrestlingclub.com 174.36.231.69 - dominaeweb.com 96.31.36.46 - idsecurednow.com 50.116.104.205 - ihaveavoice2.com 208.43.65.115 - laterrazzafiorita.it 76.74.242.190 - les-eglantiers.fr 23.91.123.160 - leikkihuone.com 174.137.191.22 - selmaryachtmarket.com 69.89.31.73 - syscomm.smartlanka.net NOTE: Domains with hosted malware for other .js malspam as noted in our previous diary covering this subject on 2015-07-29. The traffic We infected a Windows host in a lab environment with the most recent sample of .js malware, 00000106406.doc.js (MD5 hash: 0835c11379f639ec460bce73703cfe3a). This provided a full infection chain of traffic. Like last time, three .exe files were downloaded by the .js file. Post infection traffic triggered alerts for Corebot, Miuref/Boaxxe, and Kovter.B malware. Click on the above image for a full-size view. Below are alerts on the infection traffic using Security Onion with the EmergingThreats signature set. HTTP GET requests for the three .exe files happened first. All were identified as .gif images in the HTTP response headers, but they were clearly executable files. Feel free to dig into the traffic for more details. A link to download the pcap is included in the final words for this diary. *The malware* Below are samples of .exe files downloaded to our infected lab host: File name: 2015-09-15-js-malware-first-download.exe File size: 305.0 KB ( 312,360 bytes ) MD5 hash: 41959be39cf634fa4344396940d680c7 SHA1 hash: a4c6b301e62a67ba28d2ae4347093c80c25dac89 SHA256 hash: 462a93d028eca2e116cf8818f6b299adba372895eeffb71f7ffbd95347f939fe Detection ratio: 12 / 56 Virus Total link - Malwr.com link - Hybrid-analysis link File name: 2015-09-15-js-malware-second-download.exe File size: 127.6 KB ( 130,680 bytes ) MD5 hash: 56451b5b6ff6f9cbfeb221b80943f75f SHA1 hash: 298bc25dc9a55590ae002b255b384c478163d0c8 SHA256 hash: 853b50ac132100c8176229d5144716b8b86033293bce4064ecfd7107cea8e3ec Detection ratio: 0 / 56 Virus Total link - Malwr.com link - Hybrid-analysis link File name: 2015-09-15-js-malware-third-download.exe File size: 453.5 KB ( 464,384 bytes ) MD5 hash: 6b83ab0582fb59e89c090ec91b31db7a SHA1 hash: 06a8713fe2dacfc0d59345b0a3317154a961a68b SHA256 hash: d567404c7ec78e23a5661fbc242d15107f9327a810ffc241c338e39487448979 Detection ratio: 3 / 56 Virus Total link - Malwr.com link - Hybrid-analysis link Final words We haven't noticed any significant change after comparing this malspam to our previous diary about it on 2015-07-29. Assuming people continue to get infected by the malspam, we will likely continue to see it caught by our spam filters. Most spam filters prevent these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue trying to flood the world's inboxes with malicious content, we should always remain aware of the current threat landscape. Below are links for the associated files. A .csv spreadsheet with some dates, times (CDT), senders, and subject lines of the malspam for this diary: http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-malspam-tracking.csv A zip archive containing eight sanitized examples of the malspam (.eml files) used for this diary: http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-eight-malspam-examples.zip A pcap of the 2015-09-15 infection traffic: http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-malspam-infection-traffic.pcap A zip archive of the associated malware: http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-associated-malware.zip The zip archives are password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask. --- Brad Duncan Security Researcher at Rackspace Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic References: [1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/	Brad 436 Posts ISC Handler Sep 16th 2015
Thread locked Subscribe	Sep 16th 2015 6 years ago
Just a minor correction in that Java is not required to be installed to execute the .js downloader, but instead is typically launched by Windows Script Host (wscript.exe) when the .js file is double-clicked.	Deepfreeze 1 Posts
Quote	Sep 16th 2015 6 years ago
Thanks, Deepfreeze. You'll find the diary revised as we speak. Someone else also pointed that out to me earlier, so I updated it. I'd been getting java mixed up with Javascript and the Windows script host (should've known better). Thanks again, - Brad	Brad 436 Posts ISC Handler
Quote	Sep 16th 2015 6 years ago
We've seen fake job applications, with the supposed CV attached. We do block .JS files (even inside .ZIP) - but they sometimes come inside .HTML files and they can be harder to filter as there are a lot of reports in .HTML file format going around. It really must be hard for the HR staff to sift through the "jobs@" / "career@" mailboxes to find gold amidst all the rubble and malicious content.	dotBATman 70 Posts
Quote	Sep 16th 2015 6 years ago
You forgot two (or three) more points why an infection requires a REALLY ignorant user: * Windows displays a warning when the user double-clicks the .ZIP since the attachment manager (introduced about 11 years ago with XP SP2, see https://support.microsoft.com/en-us/kb/883260) adds a mark-of-the-web alias "zone identifier" (see http://blogs.msdn.com/b/ieinternals/archive/2012/06/20/loading-local-files-in-enhanced-protected-mode-in-internet-explorer-10.aspx, http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx or http://blogs.msdn.com/b/oldnewthing/archive/2013/11/04/10463035.aspx) when the .ZIP is stored on disk; * Windows displays another warning when the user tries to extract files from a .ZIP with a mark-of-the-web; Windows displays a third warning when the user double-clicks the extracted *.JS since this too carries a mark-of-the-web.	Anonymous
Quote	Sep 16th 2015 6 years ago
Very good article Brad. Always learn from you. Spam emails are also part of my research. Few things I always look for : 1. Sender domain 2. Language and grammar of the email. 3. Attachment names After than the investigation starts using tools such as wireshark, security onion etc. I am still learning and your blogs always helps. @Anonymous - humans is the highest threat to an organisation and can easily be manipulated due to lack of education or awareness. I believe this is not their ignorance however fear/paranoia that they may have made a mistake unknowingly or victim of a crime such as your credit card has been used. As security or cyber attack news have been pounded on the people, it is obvious that in the name of being safe they tend to go towards non-safe. And not all are windows users.	makflwana 17 Posts
Quote	Sep 17th 2015 6 years ago
Just to add: Sanesecurity.Malware.25668.JsHeur is now picking these up using ClamAV 3rd party signatures. Thanks for the samples. Cheers, Steve Sanesecurity.com	Sanesecurity 21 Posts
Quote	Sep 17th 2015 6 years ago
"And not all are windows users." Since the malspam targets only Windows and Brad enumerated some of the obstacles provided there, but forgot three in his enumeration, I felt free to add them. JFTR: there a similar obstacles for users of other operating systems to overcome when they want to execute a *.JS. - most MUAs block possible malware, especially "executable" files, i.e. they dont allow to save these attachments; - new files are not "executable" per default; - mount -onoexec /home; - SELinux or equivalents exist.	Anonymous
Quote	Sep 17th 2015 6 years ago
The reason why an "ignorant " user will click through and ignore warnings is because Windows encourages them to do so Windows by default will hide file extensions. These malicious JS files will pretend to be a doc file to the user ( although the icon will be clearly displayed) Users do not rely on icons but file names to see what the file is. A harried, busy small business user or consumer will always click to open ANYTHING that their antivirus doesn't detect. That is why we see so may infected users The vast majority ignore warning from windows because they are fed up with them. UAC prompts are a particualr one that gets ignored or turned off, becaue theya re so common	DVK01 21 Posts
Quote	Sep 18th 2015 6 years ago
> The reason why an "ignorant " user will click through and > ignore warnings is because Windows encourages them to do so I dont call 3 warnings an encouragement! > Windows by default will hide file extensions. These malicious > JS files will pretend to be a doc file to the user ( although > the icon will be clearly displayed) Users do not rely on icons > but file names to see what the file is. Right. But they SHOULD notice the warnings! JFTR: you have been warned. > A harried, busy small business user or consumer will always > click to open ANYTHING that their antivirus doesn't detect. > That is why we see so may infected users Which but clearly shows that antivirus is utterly useless. > The vast majority ignore warning from windows because they are > fed up with them. UAC prompts are a particualr one that gets > ignored or turned off, becaue theya re so common Neither UAC nor SRP/AppLocker can be turned off by a standard user! As Brad wrote: SRP/AppLocker definitively stops (not only) this kind of malware. Unless Microsoft creates only standard user accounts and enables SRP Windows is defective: in its default configuration it does not comply with the accepted technical standards (which in quite some countries is required by law and can be enforced legally) of "user/privilege separation" and "write^execute". Return this defective product to your local supplier and ask for a refund!	Anonymous
Quote	Sep 18th 2015 6 years ago
Brad revisiting this topic because there is a massive increase again this Month ( October 2015) of fedex malspam with these JS atatchments. One thing that has not been mentioned anywhere else is the downloaded malware from the js file has an invalid/stolen/damaged digital signature see http://myonlinesecurity.co.uk/fedex-international-next-flight-shipment-delivery-problem-js-malware/ Over the last month of so we have noticed many of the files having a invalid/stolen/damaged digital signature frequently from an antivirus company. The interesting thing to note is that the 87761567.exe has a stolen digital signature from CJSC Computing Forces, which at least in Internet Explorer, Smart Filter warns about an invalid digital signature but does not block the file from being downloaded or run. However the malware file is originally downloaded as a .gif although it is an executable file. It does contain the damaged/invalid/stolen digital signature but smart screen does not alert on the signature inside a gif only on a .exe file. The fake gif that is downloaded is converted by the .js file to a .exe file, so if a user happens to see a gif being downloaded, they think it is a legitimate picture. If I download the .exe from MALWR I get the smart screen warning. If I download direct via a browser form the infected site as a gif, I do not get any smart screen warning. This is a risk for a user and something Microsoft needs to look at with smart screen.	DVK01 21 Posts
Quote	Oct 4th 2015 6 years ago

2015-09-16 update: Paul Burbage at Phish Me also published a write-up about this on Friday 2015-09-11 at: http://phishme.com/a-peek-inside-an-affiliates-malspam-operation-kovter-and-miurefboaxxe-infections/

Introduction

On 2015-07-29, the ISC published a diary covering malicious spam (malspam) with zip archives of javascript (.js) files [1]. Since then, we've received notifications from others who have found this type of malspam. Let's revisit the spam filters, search for this type of email, and see if anything has changed.

Background

Although zipped .js attachments in malspam is nothing new, we noticed a significant increase since January 2015. This appears to be botnet-based malspam, and we've noticed different payloads as the second-stage download after running the .js file.

A few points to make, before we proceed:

This malspam appears to target Windows computers.
The extracted file is Javascript-based, and the infection requires user action.
The user must open the zip attachment, extract the .js file, and manually run the .js file.
A properly-administered Windows host using software restriction policies should prevent an infection.
A properly-administered spam filter will prevent this type of malspam from reaching the recipient's inbox.

As long as your organization's network is administered correctly, there's no real chance of infection. Which begs a question. Why do we still see this malspam every day?

The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it?

The malspam

We searched our spam filters for the past week and found five different themes used for this malspam:

American Airline e-tickets
Charge for driving on a toll road
FedEx delivery notification
IRS tax refunds
Notices to appear in court

The ones we've discovered so far have all been plain-text messages with zip attachments containing .js files. They're fairly easy to identify.

Shown above: A list of some .js malspam caught by our spam filters during the past few days.

Below are screenshots showing some of the themes we saw from this malspam during the past week:

We gathered eight malspam examples from the past few days. Details follow:

Date: Thursday, 2015-09-08 11:44 UTC
From: E-ZPass Manager ( arnold.savage@199.195.117.231.static.a2webhosting.com )
Subject: Payment for driving on toll road, invoice #00000893738
Attachment: E-ZPass_00000893738.zip - MD5 hash: 687141bd2a548889cd2cd7c59c5cd425
Extracted file: E-ZPass_00000893738.doc.js - MD5 hash: e1d4b1ec9717ae9aed02c1c5395ffc1b

Date: Tuesday, 2015-09-08 23:38 UTC
From: FedEx Ground ( armando.madden@liastudio.ru )
Subject: Courier was unable to deliver the parcel, ID00524666
Attachment: Delivery_Notification_00524666.zip - MD5 hash: 06868d58f113c9b746acfbf51b25b1a8
Extracted file: Delivery_Notification_00524666.doc.js - MD5 hash: 1ad9f4f8e051fa5bada2c1b57dbc5c24

Date: Thursday, 2015-09-10 07:45 UTC
From: District Court ( glen.bartlett@judcred.org.br )
Subject: Notice of appearance in Court #00000516375
Attachment: 00000516375.zip - MD5 hash: 2403b4b255ca3b84e0ff4fd43b8b6c99
Extracted file: 00000516375.doc.js - MD5 hash: 06b5e08e8c943d8440baf4148bd2b14f

Date: Saturday, 2015-09-12 21:52 UTC
From: America Airlines ( orders@aa.com ) - spoofed sender
Subject: Ticket information regarding your order #000735142
Attachment: 00735142.zip - MD5 hash: 85605e67e3afdfc2b9d8d0864b1f0891
Extracted file: 000735142.doc.js - MD5 hash: b4a2d86ee289780ea42882bdcfbf22c8

Date: Monday, 2015-09-14 23:15 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: New payment for tax refund #0000333948
Attachment: Refund_Payment_Details_0000333948.zip - MD5 hash: 54f889567831ed6ae987ef7afb225796
Extracted file: Refund_Payment_Details_0000333948.doc.js - MD5 hash: 733d87c6703bcaf2639a08bb7a011e3e

Date: Tuesday, 2015-09-15 06:03 UTC
From: ( quadernc@webhosting1100.interserver.net ) on behalf of Internal Revenue Service ( office@irs.gov )
Subject: New payment for tax refund #000346071
Attachment: Refund_Payment_Details_000346071.zip - MD5 hash: 774e8165338e3d06b7bf192951308148
Extracted file: Refund_Payment_Details_000346071.doc.js - MD5 hash: 5483e0b8a4ef2ade0f5b1e0d085ef2a3

Date: Tuesday, 2015-09-15 11:20 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: Payment for tax refund #000200199
Attachment: Tax_Refund_000200199.zip - MD5 hash: 652a1bf18ef1a914cbbe91fde63c98d6
Extracted file: Tax_Refund_000200199.doc.js - MD5 hash: ec3de6bcb421d482242d95b055f49ce0

Date: Tuesday, 2015-09-15 13:03 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: Payment for tax refund #00000106406
Attachment: 00000106406.zip - MD5 hash: 079c91fce37f0b2ec37178795455e43a
Extracted file: 00000106406.doc.js - MD5 hash: 0835c11379f639ec460bce73703cfe3a

The attachment

Extract the .js file from the zip archive, and you'll still find highly-obfuscated javascript. Just like last time, this is merely a javascript-based file downloader.

We executed several of the .js files on a Windows host so we could find URLs for the follow-up malware. Below is a Wireshark display of traffic we generated.

IP addresses and domains hosting the follow-up malware were:

64.239.115.111 - 64.239.115.111 (no domain name)
67.195.61.46 - ayuso-arch.com **
66.147.242.176 - bisstt.com
199.175.49.19 - crossfitrepscheme.com
72.20.64.58 - dickinsonwrestlingclub.com
174.36.231.69 - dominaeweb.com
96.31.36.46 - idsecurednow.com
50.116.104.205 - ihaveavoice2.com **
208.43.65.115 - laterrazzafiorita.it
76.74.242.190 - les-eglantiers.fr
23.91.123.160 - leikkihuone.com
174.137.191.22 - selmaryachtmarket.com **
69.89.31.73 - syscomm.smartlanka.net

NOTE: Domains with ** hosted malware for other .js malspam as noted in our previous diary covering this subject on 2015-07-29.

The traffic

We infected a Windows host in a lab environment with the most recent sample of .js malware, 00000106406.doc.js (MD5 hash: 0835c11379f639ec460bce73703cfe3a). This provided a full infection chain of traffic. Like last time, three .exe files were downloaded by the .js file. Post infection traffic triggered alerts for Corebot, Miuref/Boaxxe, and Kovter.B malware.

Click on the above image for a full-size view.

Below are alerts on the infection traffic using Security Onion with the EmergingThreats signature set.

HTTP GET requests for the three .exe files happened first. All were identified as .gif images in the HTTP response headers, but they were clearly executable files.

Feel free to dig into the traffic for more details. A link to download the pcap is included in the final words for this diary.

The malware

Below are samples of .exe files downloaded to our infected lab host:

File name: 2015-09-15-js-malware-first-download.exe

File size: 305.0 KB ( 312,360 bytes )
MD5 hash: 41959be39cf634fa4344396940d680c7
SHA1 hash: a4c6b301e62a67ba28d2ae4347093c80c25dac89
SHA256 hash: 462a93d028eca2e116cf8818f6b299adba372895eeffb71f7ffbd95347f939fe
Detection ratio: 12 / 56
Virus Total link - Malwr.com link - Hybrid-analysis link

File name: 2015-09-15-js-malware-second-download.exe

File size: 127.6 KB ( 130,680 bytes )
MD5 hash: 56451b5b6ff6f9cbfeb221b80943f75f
SHA1 hash: 298bc25dc9a55590ae002b255b384c478163d0c8
SHA256 hash: 853b50ac132100c8176229d5144716b8b86033293bce4064ecfd7107cea8e3ec
Detection ratio: 0 / 56
Virus Total link - Malwr.com link - Hybrid-analysis link

File name: 2015-09-15-js-malware-third-download.exe

File size: 453.5 KB ( 464,384 bytes )
MD5 hash: 6b83ab0582fb59e89c090ec91b31db7a
SHA1 hash: 06a8713fe2dacfc0d59345b0a3317154a961a68b
SHA256 hash: d567404c7ec78e23a5661fbc242d15107f9327a810ffc241c338e39487448979
Detection ratio: 3 / 56
Virus Total link - Malwr.com link - Hybrid-analysis link

Final words

We haven't noticed any significant change after comparing this malspam to our previous diary about it on 2015-07-29. Assuming people continue to get infected by the malspam, we will likely continue to see it caught by our spam filters.

Most spam filters prevent these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue trying to flood the world's inboxes with malicious content, we should always remain aware of the current threat landscape.

Below are links for the associated files.

A .csv spreadsheet with some dates, times (CDT), senders, and subject lines of the malspam for this diary:

http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-malspam-tracking.csv

A zip archive containing eight sanitized examples of the malspam (.eml files) used for this diary:

http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-eight-malspam-examples.zip

A pcap of the 2015-09-15 infection traffic:

http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-malspam-infection-traffic.pcap

A zip archive of the associated malware:

http://malware-traffic-analysis.net/2015/09/16/2015-09-16-ISC-diary-associated-malware.zip

The zip archives are password-protected with the standard password. If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/

Brad

436 Posts
ISC Handler

Sep 16th 2015

Just a minor correction in that Java is not required to be installed to execute the .js downloader, but instead is typically launched by Windows Script Host (wscript.exe) when the .js file is double-clicked.

Deepfreeze

1 Posts

Thanks, Deepfreeze.

You'll find the diary revised as we speak. Someone else also pointed that out to me earlier, so I updated it. I'd been getting java mixed up with Javascript and the Windows script host (should've known better).

Thanks again,

- Brad

Brad

436 Posts
ISC Handler

We've seen fake job applications, with the supposed CV attached. We do block .JS files (even inside .ZIP) - but they sometimes come inside .HTML files and they can be harder to filter as there are a lot of reports in .HTML file format going around.

It really must be hard for the HR staff to sift through the "jobs@" / "career@" mailboxes to find gold amidst all the rubble and malicious content.

dotBATman

70 Posts

You forgot two (or three) more points why an infection requires a REALLY ignorant user:
* Windows displays a warning when the user double-clicks the *.ZIP since the attachment manager (introduced about 11 years ago with XP SP2, see https://support.microsoft.com/en-us/kb/883260) adds a mark-of-the-web alias "zone identifier" (see http://blogs.msdn.com/b/ieinternals/archive/2012/06/20/loading-local-files-in-enhanced-protected-mode-in-internet-explorer-10.aspx, http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx or http://blogs.msdn.com/b/oldnewthing/archive/2013/11/04/10463035.aspx) when the *.ZIP is stored on disk;
* Windows displays another warning when the user tries to extract files from a *.ZIP with a mark-of-the-web;
* Windows displays a third warning when the user double-clicks the extracted *.JS since this too carries a mark-of-the-web.

Anonymous

Very good article Brad. Always learn from you.

Spam emails are also part of my research. Few things I always look for :

1. Sender domain
2. Language and grammar of the email.
3. Attachment names

After than the investigation starts using tools such as wireshark, security onion etc. I am still learning and your blogs always helps.

@Anonymous - humans is the highest threat to an organisation and can easily be manipulated due to lack of education or awareness. I believe this is not their ignorance however fear/paranoia that they may have made a mistake unknowingly or victim of a crime such as your credit card has been used. As security or cyber attack news have been pounded on the people, it is obvious that in the name of being safe they tend to go towards non-safe. And not all are windows users.

makflwana

17 Posts

Just to add: Sanesecurity.Malware.25668.JsHeur is now picking these up using ClamAV 3rd party signatures.

Thanks for the samples.

Cheers,

Steve
Sanesecurity.com

Sanesecurity

21 Posts

"And not all are windows users."

Since the malspam targets only Windows and Brad enumerated some of the obstacles provided there, but forgot three in his enumeration, I felt free to add them.

JFTR: there a similar obstacles for users of other operating systems to overcome when they want to execute a *.JS.

- most MUAs block possible malware, especially "executable" files, i.e. they dont allow to save these attachments;
- new files are not "executable" per default;
- mount -onoexec /home;
- SELinux or equivalents exist.

Anonymous

The reason why an "ignorant " user will click through and ignore warnings is because Windows encourages them to do so
Windows by default will hide file extensions. These malicious JS files will pretend to be a doc file to the user ( although the icon will be clearly displayed) Users do not rely on icons but file names to see what the file is.

A harried, busy small business user or consumer will always click to open ANYTHING that their antivirus doesn't detect. That is why we see so may infected users

The vast majority ignore warning from windows because they are fed up with them. UAC prompts are a particualr one that gets ignored or turned off, becaue theya re so common

DVK01

21 Posts

> The reason why an "ignorant " user will click through and
> ignore warnings is because Windows encourages them to do so

I dont call 3 warnings an encouragement!

> Windows by default will hide file extensions. These malicious
> JS files will pretend to be a doc file to the user ( although
> the icon will be clearly displayed) Users do not rely on icons
> but file names to see what the file is.

Right. But they SHOULD notice the warnings!
JFTR: you have been warned.

> A harried, busy small business user or consumer will always
> click to open ANYTHING that their antivirus doesn't detect.
> That is why we see so may infected users

Which but clearly shows that antivirus is utterly useless.

> The vast majority ignore warning from windows because they are
> fed up with them. UAC prompts are a particualr one that gets
> ignored or turned off, becaue theya re so common

Neither UAC nor SRP/AppLocker can be turned off by a standard user!
As Brad wrote: SRP/AppLocker definitively stops (not only) this kind of malware.

Unless Microsoft creates only standard user accounts and enables SRP Windows is defective: in its default configuration it does not comply with the accepted technical standards (which in quite some countries is required by law and can be enforced legally) of "user/privilege separation" and "write^execute". Return this defective product to your local supplier and ask for a refund!

Anonymous

Brad
revisiting this topic because there is a massive increase again this Month ( October 2015) of fedex malspam with these JS atatchments. One thing that has not been mentioned anywhere else is the downloaded malware from the js file has an invalid/stolen/damaged digital signature
see http://myonlinesecurity.co.uk/fedex-international-next-flight-shipment-delivery-problem-js-malware/
Over the last month of so we have noticed many of the files having a invalid/stolen/damaged digital signature frequently from an antivirus company.

The interesting thing to note is that the 87761567.exe has a stolen digital signature from CJSC Computing Forces, which at least in Internet Explorer, Smart Filter warns about an invalid digital signature but does not block the file from being downloaded or run. However the malware file is originally downloaded as a .gif although it is an executable file. It does contain the damaged/invalid/stolen digital signature but smart screen does not alert on the signature inside a gif only on a .exe file. The fake gif that is downloaded is converted by the .js file to a .exe file, so if a user happens to see a gif being downloaded, they think it is a legitimate picture. If I download the .exe from MALWR I get the smart screen warning. If I download direct via a browser form the infected site as a gif, I do not get any smart screen warning. This is a risk for a user and something Microsoft needs to look at with smart screen.

DVK01

21 Posts