Cryptowall and phishing delivered through JavaScript Attachments

While most emails with malicious attachments seem to be zipped Windows executables or exploited Microsoft Office documents, there are still some spammers using regular old JavaScript attachments to do their dirty work. Here are two recent examples.

We recently noticed a spam run of emails purporting to contain an attached resume from a job applicant. The attachment was in plain-text and consisted of obfuscated JavaScript, with the attachment having a file extension of ".js". Some days later, it appears that the first try was too obvious. The next spam run obfuscated the JavaScript even further, and zipped the attachment, so it wasn't obviously JavaScript. They even tried to give the attachment a MIME type of "image/png" so you might think it's just a zipped picture. This iteration looked something like this:

Resume rodney mcpherson

The original email's JavaScript was:

Rodney_orig_js

This kind of obfuscation prevents anyone casually inspecting the code from realizing exactly what method it's using, what the URL it's using is, and other suspicious behavior. After deobfuscating the JavaScript, it looked like:

Rodney_unob_js

We can see that it was creating an ActiveXObject using an XMLHttpRequest object. This would create another ActiveXObject using ADODB.Stream to retrieve a binary file. This retrieved file would be saved to the %TEMP% folder into a file called something like "45645459.exe". Another ActiveXObject would be created to use WScript.shell to then execute the saved file. The URL the file was retrieved from was something like:

hxxp://grandviewconsulting.net/images/rep.jpg

This may seem like you're just retrieving an image file, but if you actually retrieve it, it turns out to be a Windows executable. After analyzing the file, we have determined this is a Cryptowall ransomware variant. So if you open the attachment, thinking you'll be looking at a resume, you could end up with your entire system in trouble.

In a separate campaign, another group of spammers uses JavaScript to hide their phishing attachments. Instead of a resume, they used that old standby, the common account phish. They look something like this:

Paypal3_orig

The From: header has addresses that look reasonably similar to the phished domain addresses as long as you don't look too closely.

Subject lines include:

  • Un-authorized User
  • Verification Required
  • Must verify your account
  • Validate account

This is the very common trick of telling you your account has been limited or disabled, and that to get it back you must validate or verify your account by simply following the easy steps in the attachment. Note that the attachment is now an HTML file with a JavaScript section, and it specifically instructs you to make sure to turn on JavaScript. If you view the attachment in a JavaScript-enabled browser, it creates a form asking for your personal information, looking like this (this is just the bottom half of the page):

Paypal3_form

They're not only asking for the victim's name and address, but also their Social Security number and a credit card number. When you click on the "Submit Form" button, all your data then goes to a server in Russia. All this information is more than enough to steal your identity.

The obfuscated version looks like this (partial code shown only):

Paypal3_orig_js

Even before fully deobfuscating the JavaScript, it was interesting to find a possible link to Russia, since one of the arguments to a decoding function was "RU551A".

Paypal3_orig_js2

After deobfuscation, it generated a perfectly normal looking HTML page with a form, like the following snippet:

Paypal3_unob_js

Whether the JavaScript performs a drive-by download, or phishes for personal information, spammers still use straight JavaScript in an attachment, not always hiding it well. If you can (carefully!) check an attachment to see if it's potentially malicious, it can be a useful tactic to pull some of the less common JavaScript code to use in content blocking. Parts of the code, like the "RU551A" argument, the decoding function names, or some of the mathematical parts are good candidates. Trustwave SEG Cloud, for instance, blocked around 200 of these phishing messages in just three days. Generally speaking, if an email tells you that you need to turn on JavaScript, you probably shouldn't. Despite the proliferation of executables and other exploits-du-jour, you still can't ignore JavaScript attachments in your email stream. They can cause your users (and you) headaches.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.