Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Cryptowall and phishing delivered through JavaScript Attachments

While most emails with malicious attachments seem to be zipped Windows executables or exploited Microsoft Office documents, there are still some spammers using regular old JavaScript attachments to do their dirty work. Here are two recent examples.

We recently noticed a spam run of emails purporting to contain an attached resume from a job applicant. The attachment was in plain-text and consisted of obfuscated JavaScript, with the attachment having a file extension of ".js". Some days later, it appears that the first try was too obvious. The next spam run obfuscated the JavaScript even further, and zipped the attachment, so it wasn't obviously JavaScript. They even tried to give the attachment a MIME type of "image/png" so you might think it's just a zipped picture. This iteration looked something like this:


The original email's JavaScript was:


This kind of obfuscation prevents anyone casually inspecting the code from realizing exactly what method it's using, what the URL it's using is, and other suspicious behavior. After deobfuscating the JavaScript, it looked like:


We can see that it was creating an ActiveXObject using an XMLHttpRequest object. This would create another ActiveXObject using ADODB.Stream to retrieve a binary file. This retrieved file would be saved to the %TEMP% folder into a file called something like "45645459.exe". Another ActiveXObject would be created to use to then execute the saved file. The URL the file was retrieved from was something like:


This may seem like you're just retrieving an image file, but if you actually retrieve it, it turns out to be a Windows executable. After analyzing the file, we have determined this is a Cryptowall ransomware variant. So if you open the attachment, thinking you'll be looking at a resume, you could end up with your entire system in trouble.

In a separate campaign, another group of spammers uses JavaScript to hide their phishing attachments. Instead of a resume, they used that old standby, the common account phish. They look something like this:


The From: header has addresses that look reasonably similar to the phished domain addresses as long as you don't look too closely.

Subject lines include:

  • Un-authorized User
  • Verification Required
  • Must verify your account
  • Validate account

This is the very common trick of telling you your account has been limited or disabled, and that to get it back you must validate or verify your account by simply following the easy steps in the attachment. Note that the attachment is now an HTML file with a JavaScript section, and it specifically instructs you to make sure to turn on JavaScript. If you view the attachment in a JavaScript-enabled browser, it creates a form asking for your personal information, looking like this (this is just the bottom half of the page):


They're not only asking for the victim's name and address, but also their Social Security number and a credit card number. When you click on the "Submit Form" button, all your data then goes to a server in Russia. All this information is more than enough to steal your identity.

The obfuscated version looks like this (partial code shown only):


Even before fully deobfuscating the JavaScript, it was interesting to find a possible link to Russia, since one of the arguments to a decoding function was "RU551A".


After deobfuscation, it generated a perfectly normal looking HTML page with a form, like the following snippet:


Whether the JavaScript performs a drive-by download, or phishes for personal information, spammers still use straight JavaScript in an attachment, not always hiding it well. If you can (carefully!) check an attachment to see if it's potentially malicious, it can be a useful tactic to pull some of the less common JavaScript code to use in content blocking. Parts of the code, like the "RU551A" argument, the decoding function names, or some of the mathematical parts are good candidates. Trustwave SEG Cloud, for instance, blocked around 200 of these phishing messages in just three days. Generally speaking, if an email tells you that you need to turn on JavaScript, you probably shouldn't. Despite the proliferation of executables and other exploits-du-jour, you still can't ignore JavaScript attachments in your email stream. They can cause your users (and you) headaches.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More