Email malware attachment delivered as .js file

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I got a spam today to an account hosted by my residential ISP but
operated by Hotmail (ie - Micro$haft).  The originating IP of the spam
indicated that the infected host uses the same ISP that I do.

The payload was a zip-compressed obfuscated .js file, which was scanned
here:

https://www.virustotal.com/en/file/cabea50df557c862e39db28c4768435f3a730b5c6e6099db37dcd1fa6bc61ea0/analysis/1441202201/

A unique name given to this malware seems to be "Nemucod"

A de-obfuscated display of this file can be found here:

http://wepawet.iseclab.org/view.php?hash=ed7c3a57a60f35e14d78a268bb4ff3e7&type=js

"No exploits were identified"

Perhaps not - but the code obviously directs the reader to download an
executable from one of these domains:

   etqy.com
   ihaveavoice2.com
   riggst.com

Can anyone here explain how, or under what conditions, this
zip-compressed .js file was intended or would have been executed on a
recipient's machine by performing a single click-action on the payload
attachment link?

Can anyone explain Macro$hit's failure to scan and detect this file as a
malicious attachment by their hotmail server?

Re: Email malware attachment delivered as .js file

"Virus Man" wrote:

Quoted text here. Click to load it

That's "documen"(t) backwards.

Quoted text here. Click to load it

It won't run with a single click. Malware like this relies on the
willingness of users to go to any length to see what's inside. If
they're stupid enough to ignore all sorts of warnings from their
software or OS about opening attachments or running untrusted scripts
or executables then they're good candidates for infection.

Quoted text here. Click to load it

Nope, but then I wouldn't want my mail provider deciding what's a good
or bad attachment (especially a zip) on my behalf.



Re: Email malware attachment delivered as .js file

Ant wrote:
  
Quoted text here. Click to load it


I got another such spam today, with another zip-compressed .js file:

https://www.virustotal.com/en/file/fa9c9f85ed1fea8b2fe19fcd43df7721fc16a333e42a9e8b4b5a918f86e5ca91/analysis/1441541590/

http://wepawet.iseclab.org/view.php?hash=1404be252a3d2861fdffc6af412d2495&type=js

Looks like its trying to download an exe file from one of:

  dickinsonwrestlingclub.com
  www.fibrasinteticafm.com
  laterrazzafiorita.it

I dragged the .js file over to a few of my installed browsers.

Firefox 2.0.0.20, Netscape 9.0.0.6 and Opera 12.02 all did the same
thing - just opened it as a text file and displayed the text of the .js
file.

IE 6 seems to have actually known it was a script file, because it first
threw up a warning if I wanted to open, run or save a potentially
dangerous file.  I said sure - run it.  It then threw up this error:

--------------
Windows Script Host

Script: (path to js file)\Invoice_whatever.doc.js
Line: 1
Char: 15876
Error: Arguments are of the wrong type, are out of acceptable range, or
are in conflict with one another.
Code: 800A0BB9
Source: ADODB.Stream
---------------

I had to dismiss that error message about 10 times before it went away.

I would have thought that Opera 12, being somewhat "new" or newer, would
have known how to handle or execute a .js file.

Is IE the only browser that opens / executes .js files if you drop the
file onto the browser?  Is this unique for IE6, or to other versions of
IE also do this?  Do newer versions of Mozilla-based browsers execute
.js files if you drop them on them?

I re-scanned the first .js file (the one I posted about here 4 days ago)
at VT.  It is now being detected by 26 out of 57 AV programs.  Here are
a few selected AV/AM programs among the 31 programs that ARE NOT
detecting this as malware - even after 4 days after submission to VT:

Hall of Anti-Virus Shame (no demonstrated ability to detect .js threat
files in a timely manner to be of any use to an end user):

- Avast
- ClamAV
- MalwareBytes
- Microsoft
- Symantec
- TrendMicro/TrendMicro-Housecall

The .JS file today is currently being detected by 9 out of 57.

McAffee is labelling it as "BehavesLike.JS.ExploitBlacole" but a few
others are calling it JS/Nemucod.

Some selected programs that ARE detecting the previous .js file but NOT
the current submission:

Programs that will eventually (probably) detect this polymorphic .js
threat technique - but only after you've been exposed to it:

- AVG
- Avira
- ESET-NOD32
- F-Secure
- Kaspersky (!)

Re: Email malware attachment delivered as .js file

"Virus Man" wrote:

Quoted text here. Click to load it

In Windows a ".js" file on its own is not run by a browser but by the
"Windows Script Host", as you can see from your error message.

Quoted text here. Click to load it

I'm not surprised. In any case, the use of ActiveX in the script would
prevent non-IE browsers from running it unless plugins are available.

Quoted text here. Click to load it

IE is just passing it over to WSH (after any warnings).

Quoted text here. Click to load it

I expect you have an older version of ADO.

Quoted text here. Click to load it

Why should it? It knows about HTML (JS files called from HTML are a
different matter).

Quoted text here. Click to load it

Probably.


IE8 does it (with two warnings).

Quoted text here. Click to load it

No.


It's not an exploit but a simple downloader & runner. However the
obfuscation (if there is any) and what it's doing should be red flags
to AVs. The script as shown by Wepawet is incomplete because the
variable "str" in the open(GET, ...) is undefined. We're not seeing
the whole package.

If you run this (corrected) JS file by double-clicking it will do its
work without opening a browser and without warning unless appropriate
security policies are in effect. However, before the downloaded exe is
run I would hope you'd get at least one warning from the OS about
allowing a downloaded exe from the internet to run. I can't say how
versions of Windows later than XP handle the security aspects of such
scripts.



Re: Email malware attachment delivered as .js file

"Virus Man" wrote:

Quoted text here. Click to load it

By the user double-clicking the unzipped js file.

Quoted text here. Click to load it

Exactly. It depends.

Quoted text here. Click to load it

It's not.


By the OS (file association for ".js" in the registry).

Quoted text here. Click to load it

By the user double-clicking it.



Re: Email malware attachment delivered as .js file

On Wed, 02 Sep 2015 10:47:57 -0400, Virus Man wrote:

Quoted text here. Click to load it
cabea50df557c862e39db28c4768435f3a730b5c6e6099db37dcd1fa6bc61ea0/
analysis/1441202201/
Quoted text here. Click to load it
hash=ed7c3a57a60f35e14d78a268bb4ff3e7&type=js
Quoted text here. Click to load it

Don't know. I use Linux so I don't have to care.

Re: Email malware attachment delivered as .js file

"W.S. Blevins" wrote:
  
Quoted text here. Click to load it


So Linux doesn't have any ability to execute javascript?

What would happen on a linux system if you got an email with a
javascript attachment?  Say, a script that was designed with linux in
mind?

Re: Email malware attachment delivered as .js file

Quoted text here. Click to load it
I heared it will not affect the system unless you are runnig it as root.

Regards
Ralf


Re: Email malware attachment delivered as .js file

On Sat, 12 Sep 2015 16:11:21 +0000, Ralf S. Hellersen wrote:

Quoted text here. Click to load it

That is correct. And you never need nor should log on as root.

Re: Email malware attachment delivered as .js file

I've received more of these spams with zip-compressed .js files.  Got
one just today:

https://www.virustotal.com/en/file/de51212777a6f578c07723458a40238433ff21b88c1f3f45ba0ca4abda999b9e/analysis/1442838172/

Detection score 8 / 57 (submitted 5 hours after it showed up in my
mailbox).

Kaspersky (and many others) still fails early detection.

Here is a description of this campaign and infector:

http://phishme.com/a-peek-inside-an-affiliates-malspam-operation-kovter-and-miurefboaxxe-infections/#

What I don't get is that the .JS file being distributed is still failing
to execute on win-98 script host.  I was thinking that perhaps this
exploit was trying to leverage some "new" or known vulnerability in some
newer (nt-based) scripting host engine, but I can find no mention of any
such phenomena.

So it seems that there is some sort of structural / functional
difference between the scripting host of win-98 vs NT that is necessary
to enable this exploit .js code to function, and hence win-9x systems
are not affected.

Another "if it works, it's not complicated enough" moment brought to you
by Micro$haft.

Site Timeline