Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Cryptowall and phishing delivered through JavaScript Attachments

While most emails with malicious attachments seem to be zipped Windows executables or exploited Microsoft Office documents, there are still some spammers using regular old JavaScript attachments to do their dirty work. Here are two recent examples.

We recently noticed a spam run of emails purporting to contain an attached resume from a job applicant. The attachment was in plain-text and consisted of obfuscated JavaScript, with the attachment having a file extension of ".js". Some days later, it appears that the first try was too obvious. The next spam run obfuscated the JavaScript even further, and zipped the attachment, so it wasn't obviously JavaScript. They even tried to give the attachment a MIME type of "image/png" so you might think it's just a zipped picture. This iteration looked something like this:

12429_e9909303-8369-4188-8309-9006bcdd62c8

The original email's JavaScript was:

8305_21cca84d-e5e7-4f28-9f5e-2b55f23e4c7a

This kind of obfuscation prevents anyone casually inspecting the code from realizing exactly what method it's using, what the URL it's using is, and other suspicious behavior. After deobfuscating the JavaScript, it looked like:

10569_8fc4816d-f59c-4e1e-a5dc-7bd342d6b03f

We can see that it was creating an ActiveXObject using an XMLHttpRequest object. This would create another ActiveXObject using ADODB.Stream to retrieve a binary file. This retrieved file would be saved to the %TEMP% folder into a file called something like "45645459.exe". Another ActiveXObject would be created to use WScript.shell to then execute the saved file. The URL the file was retrieved from was something like:

hxxp://grandviewconsulting.net/images/rep.jpg

This may seem like you're just retrieving an image file, but if you actually retrieve it, it turns out to be a Windows executable. After analyzing the file, we have determined this is a Cryptowall ransomware variant. So if you open the attachment, thinking you'll be looking at a resume, you could end up with your entire system in trouble.

In a separate campaign, another group of spammers uses JavaScript to hide their phishing attachments. Instead of a resume, they used that old standby, the common account phish. They look something like this:

9133_4b30f53f-6e13-4122-a223-c0740511bd5a

The From: header has addresses that look reasonably similar to the phished domain addresses as long as you don't look too closely.

Subject lines include:

  • Un-authorized User
  • Verification Required
  • Must verify your account
  • Validate account

This is the very common trick of telling you your account has been limited or disabled, and that to get it back you must validate or verify your account by simply following the easy steps in the attachment. Note that the attachment is now an HTML file with a JavaScript section, and it specifically instructs you to make sure to turn on JavaScript. If you view the attachment in a JavaScript-enabled browser, it creates a form asking for your personal information, looking like this (this is just the bottom half of the page):

8608_319733db-fdce-4283-b965-4a4c7b83d12f

They're not only asking for the victim's name and address, but also their Social Security number and a credit card number. When you click on the "Submit Form" button, all your data then goes to a server in Russia. All this information is more than enough to steal your identity.

The obfuscated version looks like this (partial code shown only):

8310_220766ea-addb-45a1-b56a-971ce9402d64

Even before fully deobfuscating the JavaScript, it was interesting to find a possible link to Russia, since one of the arguments to a decoding function was "RU551A".

10291_81fb4e6a-4f00-447d-a819-2d1baf4c6891

After deobfuscation, it generated a perfectly normal looking HTML page with a form, like the following snippet:

12109_d9de7cfd-f1bf-4955-b7c9-77a9f084a7ab

Whether the JavaScript performs a drive-by download, or phishes for personal information, spammers still use straight JavaScript in an attachment, not always hiding it well. If you can (carefully!) check an attachment to see if it's potentially malicious, it can be a useful tactic to pull some of the less common JavaScript code to use in content blocking. Parts of the code, like the "RU551A" argument, the decoding function names, or some of the mathematical parts are good candidates. Trustwave SEG Cloud, for instance, blocked around 200 of these phishing messages in just three days. Generally speaking, if an email tells you that you need to turn on JavaScript, you probably shouldn't. Despite the proliferation of executables and other exploits-du-jour, you still can't ignore JavaScript attachments in your email stream. They can cause your users (and you) headaches.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More