The Spam, JavaScript and Ransomware Triangle

Authors: Dr. Fahim Abbasi and Nicholas Ramos

Introduction

Our global spam honeypot sensors detected a pervasive email campaign that was leveraging a zipped attachment containing a malicious JavaScript. When opened, the JavaScript was used to infect victims with ransomware. This campaign started in the late hours of 17th July 2017, and after peaking at over 1.2 million messages, ended on the 19th of July, 2017. Similar burst was observed a couple of days later on the 25th of July, that ended on the 27th of July 2017, as illustrated by the timeline in Figure 1 and Table 1.

1
Figure 1: Timeline of the spam campaign showing the spam peaks

Table 1: Spam by country of origin for this campaign.

23


Analysis of the Email Body

Last May, we reported a spam campaign distributing both FakeGlobe and Cerber ransomwares. While the campaign lasted a few days, we recently observed similar malware being spammed out in a different campaign. This campaign used the same blank subject and body, but had a different attachment of a compressed JavaScript (JS) file. There were two different sets of Zip files used in this campaign, each containing a distinct set of JavaScript code. Both JS files appeared to be using the same code template, but contained different URLs pointing towards different malware. Anonymized screenshots of the two spam messages, with the attachments are illustrated in Figure 2 and 3. Here in both messages, the Subject field and body was blank or empty. It has been a common technique to use blank subject and body to make it hard for anti-spam signature-based detections, and serves as a simple template for spammers.

4
Figure 2: Sample Email message with the zipped attachment
5
Figure 3: Sample Email message with a similar zipped attachment

Analysis of the Attachment

The Malicious JavaScript (JS)

Saving the attachment to disk and unzipping it reveals a JavaScript file. Double-clicking on this JavaScript file may execute it, which is the aim of the spammers. This JavaScript sample is unique as it is embedded inside paragraphs of readable text, apparently copied from Wikipedia articles about different countries. We believe the paragraphs have been placed at the top of the script to give the appearance of a benign-looking text file to evade both automated scanners and any human expert who might preview it in any text editor. A screenshot of one such sample is illustrated here in Figure 4 and Figure 5. Apparently, in this case, the text passage has been copied across from a Wikipedia article about China.

6
Figure 4: Top of the JavaScript file containing a long Wikipedia article about China

7
Figure 5:JavaScript functions embedded inside the text of the article and at the bottom of it.

There are over 30 obfuscated JS functions crafted by the attackers in this malicious JavaScript sample. These functions perform their malicious activities once they get run by a trigger function call as illustrated in Figure 6.

8
Figure 6: Trigger function that recursively calls all the other malicious JS functions

The trigger function first de-obfuscates URLs and then uses them to download the malicious payload. The script employs a simple de-obfuscation method by removing commas from the obfuscated URLs. As a failsafe method, the attackers have embedded five different URLs in this function to force the victim to download at least one malicious payload, in case any others have been taken offline. A code snippet is illustrated in Figure 7.

9
Figure 7: URLs hosting malicious payload are de-obfuscated

These malicious URLs are then supplied to a downloader function. The downloader function uses a Microsoft ActiveX object namely MSXML2.XMLHTTP. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. Here the Open method is used to Initialize an MSXML2.XMLHTTP request and specifies the method, and URL as shown in Figure 8. The use of Microsoft ActiveX Objects indicate that the spammers are targeting Microsoft Windows victims. The script could be executed simply by double-clicking on it in a Windows OS. This is facilitated by the Microsoft Windows Scripting Host (WSH), which is a framework for running and automating scripts from the GUI using WScript.exe or from the command line using CScript.exe. The WSH supports scripting engines like Jscript and VBScript. Additionally, this script could be interpreted and executed by web browsers, especially Microsoft Internet Explorer and Edge. Other browsers running the IE extensions that support ActiveX objects may also be vulnerable.

10
Figure 8: The Downloader function, that initiates the file download over HTTP, along with some inline comments

Next, the attackers leverage the ActiveX stream and filesystem object to save the downloaded file to the temp folder as a randomly named JPG and then rename it to an EXE as illustrated in figure 9, 10 and 11.

11
Figure 9: Save the malicious payload in temp folder as a JPG, code along with some inline comments shown

12
Figure 10: Stream object used to save the downloaded file to disk

13
Figure 11:Malicious file extension is changed from .JPG to .EXE, code along with some inline comments shown

Finally, the malicious payload is executed using the ActiveX WScript Shell object that executes the downloaded malware payload sample as illustrated in Figure 12. In summary, this JavaScript sample is a downloader and executor.

14
Figure 12: Payload execution via WScript Shell ActiveX Object, code along with some inline comments shown

Analysis of the Malicious Payload dropped by the JS

We had two different JavaScript samples, which were packaged with the same code template but were configured using different URLs. This results in downloading two different ransomware families namely "FakeGlobe" ransomware and "Cerber" ransomeware.

Payload – IOC

FakeGlobe Ransomware

This was hosted on the embedded URLs ending with *.dat extension. An example URL extracted from the JS file is listed here:

URL: hxxp://astromfghqmo.com/error.php?f=1.dat

Hash of the Downloaded Files:

  • MD5:D885A811324370FD2CA8ED9075A71652
  • SHA1:DF799BC0225C5391DAE2F0044AAAE745A2C64E14

Encrypted Files and Ransom Note for FakeGlobe:

After execution, the FakeGlobe ransomware samples encrypts and renames files. The encrypted files are renamed using the *.crypt extension name as shown in figure 13 and a ransomware note is setup as a HTML shown in figure 14.

16
Figure 13: Files renamed with *.crypt extension

17
Figure 14: FakeGlobe Ransomware Note

Cerber Ransomware

The Cerber ransomware was hosted on URLs ending with the *.doc extension. A few URLs extracted from the JS file are listed here:

URLs:

  • hxxp://asopusforums.date/1.doc
  • hxxp://ariadnerevolution.date/1.doc
  • hxxp://asbetosgem.trade/1.doc
  • hxxp://phaennabazaar.trade/1.doc
  • hxxp://dolopolesasz.com/1.doc

Hash of Downloaded Files:

  • MD5: FE1BC60A95B2C2D77CD5D232296A7FA4
  • SHA1: C07DFDEA8DA2DA5BAD036E7C2F5D37582E1CF684

Encrypted Files and Ransom Note:

After execution, the Cerber ransomware sample encrypts and renames files. Files encrypted by Cerber ransomware use random filename and extensions, for this sample it used random files with this extension "*.ab22" as shown in Figure 15. The usual Cerber will drop ransom note on both "*.hta" and "*.txt" formats as shown in figure 16 and 17.

18
Figure 15:Encrypted files with random name and *.ab22 extension

19
Figure 16: Ransom note Text file contents

Aside from the files it will also change the wallpaper to display a ransom note, a typical behavior of Cerber.

20

Figure 17: Ransom note HTML file contents

Conclusion

Attackers are leveraging the simplicity provided by email to distribute ransomware to global victims. We detected one such campaign where attackers sent millions of spam messages detected by our distributed honeypot sensors. These spam messages contained a blank Subject line and had an empty message body. The messages could be categorized into two different sets, each serving a different zip attachment, that contains a similar obfuscated JavaScript file. The JS files contain the same code template, but are configured with a distinct set of URLs that point to different ransomwares. Once executed the ransomware infects and encrypts files on the victim's computer for ransom. As a mitigation measure, customers should consider blocking JS files at the email gateway, as recently much malware we are seeing is being distributed via such scripts. Trustwave's Secure Email Gateway effectively detects and deters this campaign, thus protecting our customers from the threats posed by cyber criminals.

Acknowledgements

We would like to thank Gerald Carsula for his helpful contributions and Phil Hay for his valuable feedback and advice.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.