The same JavaScript downloaders are also responsible for spreading the following ransomware:<\/p>\n
- \n
- Ransom:Win32\/Tescrypt<\/a><\/li>\n
- Ransom:Win32\/Locky<\/a><\/li>\n<\/ul>\n
The spam email contains a .zip<\/em> or .rar<\/em> file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system\u2019s script software. The file names are either related to the spam campaign, or completely random:<\/p>\n
![\"JS1\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS1.png\")
<\/a><\/p>\nFigure 1: Examples of JavaScript attachments from spam email campaigns<\/em><\/p>\n
Not your favorite Java<\/h2>\n
Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person\u2019s curiosity (finance-related, etc.).<\/p>\n
The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.<\/p>\n
![\"JS2\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS2.png\")
<\/a><\/p>\nFigure 2: Sample code and URL <\/em><\/p>\n
<\/p>\n
![\"JS3\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS3.png\")
<\/a><\/p>\nFigure 3: Another code sample<\/em><\/p>\n
<\/p>\n
![\"JS4\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS4.png\")
<\/a><\/p>\nFigure 4: Another code sample<\/em><\/p>\n
<\/p>\n
![\"JS5\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS5.png\")
<\/a><\/p>\nFigure 5: Another code sample<\/em><\/p>\n
<\/p>\n
In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.<\/p>\n
![\"JS6\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS6.png\")
<\/a><\/p>\nFigure 6: An example of a JavaScript attachment and a dummy file <\/em><\/p>\n
<\/p>\n
![\"JS7\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS7.png\")
<\/a><\/p>\nFigure 7: Another example of a JavaScript attachment and a dummy file<\/em><\/p>\n
<\/p>\n
These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32\/Locky<\/a>, enters the system and proceeds in its destructive mission.<\/p>\n
It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.<\/p>\n
On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.<\/p>\n
It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js<\/em> or .jse<\/em> extension) via email. You should be wary of it and should not click or open it.<\/p>\n
<\/p>\n
![\"JS8\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS8.png\")
<\/a><\/p>\nFigure 8: A screenshot of how the JavaScript attachment gets executed.<\/em><\/p>\n
<\/p>\n
Same stuff, new package<\/h2>\n
It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it\u2019s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.<\/p>\n
The JavaScript-toting email spam is no different.<\/p>\n
These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people\u2019s curiosity \u2013 enough for them to take action and click what shouldn\u2019t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.<\/p>\n
<\/p>\n
![\"JS9\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS9.png\")
<\/a><\/p>\nFigure 9: A screenshot of a sample bank-related email spam.<\/em><\/p>\n
<\/p>\n
![\"JS10\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS10.png\")
<\/a><\/p>\nFigure 10: A screenshot of a sample remittance-themed email spam.<\/em><\/p>\n
<\/p>\n
![\"JS11\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS11.png\")
<\/a><\/p>\nFigure 11: A screenshot of a sample invoice-themed email spam.<\/em><\/p>\n
<\/p>\n
![\"JS12\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS12.png\")
<\/a><\/p>\nFigure 12: A screenshot of a sample resume-themed email spam.<\/em><\/p>\n
<\/p>\n
![\"JS13\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS13.png\")
<\/a><\/p>\nFigure 13: A screenshot of a shipment notification-themed email spam.<\/em><\/p>\n
<\/p>\n
![\"JS14\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/04\/JS14.png\")
<\/a><\/p>\nFigure 14: A screenshot of a sample debt case-themed email spam.<\/em><\/p>\n
<\/h2>\n
Mitigation and prevention<\/h2>\n
To avoid falling prey from those JavaScript-toting-emails\u2019 social engineering tricks<\/p>\n
- \n
- Use Windows Defender<\/a> for Windows 10\u00a0as your antimalware scanner.<\/li>\n
- Ensure that Microsoft Active Protection Service has been enabled<\/a>.<\/li>\n
- Use Office 365 Advanced Threat Protection. It has a machine learning capability to help your network administrators block\u00a0dangerous email threats<\/a>. See\u00a0the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks<\/a>, for details.<\/li>\n
- Be wary of emails with JavaScript attachments. It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js<\/em> or .jse<\/em> extension) via email. Do not click or open it.<\/li>\n
- Use the AppLocker group policy<\/a> to prevent dubious software from running.<\/li>\n
- Though ransomware and macro-based malware are on the rise, there\u2019s still something that you or your administrators can proactively do:<\/li>\n<\/ul>\n
- \n
- Ensure that a strong password policy<\/a> is implemented throughout the enterprise.<\/li>\n
- Disable the loading of macros in Office programs<\/a>.<\/li>\n
- Disable macro loading through the Group Policy settings<\/a>.<\/li>\n
- Keep your software up-to-date<\/a> to mitigate possible software exploits.<\/li>\n
- Protect derived domain credentials with Credential Guard\u00a0for Windows 10 Enterprise<\/a>.<\/li>\n
- Secure your code integrity with Device Guard for Windows 10 Enterprise<\/a>.<\/li>\n
- Secure the lateral account movement in your\u00a0enterprise<\/a>.<\/li>\n
- Use two-factor authentication with Microsoft Passport and Windows Hello<\/a>.<\/li>\n<\/ul>\n
See some of the related blogs and threat reports:<\/p>\n
- Disable the loading of macros in Office programs<\/a>.<\/li>\n
- Ensure that Microsoft Active Protection Service has been enabled<\/a>.<\/li>\n
- Ransom:Win32\/Locky<\/a><\/li>\n<\/ul>\n