ISC StormCast for Wednesday, September 16th 2015 http://isc.sans.edu/podcastdetail.html?id=4657

Malicious spam with zip attachments containing .js files

Published: 2015-09-16
Last Updated: 2015-09-16 14:36:12 UTC
by Brad Duncan (Version: 1)
10 comment(s)

2015-09-16 update:  Paul Burbage at Phish Me also published a write-up about this on Friday 2015-09-11 at: http://phishme.com/a-peek-inside-an-affiliates-malspam-operation-kovter-and-miurefboaxxe-infections/

Introduction

On 2015-07-29, the ISC published a diary covering malicious spam (malspam) with zip archives of javascript (.js) files [1].  Since then, we've received notifications from others who have found this type of malspam.  Let's revisit the spam filters, search for this type of email, and see if anything has changed.

Background

Although zipped .js attachments in malspam is nothing new, we noticed a significant increase since January 2015.  This appears to be botnet-based malspam, and we've noticed different payloads as the second-stage download after running the .js file.

A few points to make, before we proceed:

  • This malspam appears to target Windows computers.
  • The extracted file is Javascript-based, and the infection requires user action.
  • The user must open the zip attachment, extract the .js file, and manually run the .js file.
  • A properly-administered Windows host using software restriction policies should prevent an infection.
  • A properly-administered spam filter will prevent this type of malspam from reaching the recipient's inbox.

As long as your organization's network is administered correctly, there's no real chance of infection.  Which begs a question.  Why do we still see this malspam every day?

The answer?  We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation.  Why else would we still see it?

The malspam

We searched our spam filters for the past week and found five different themes used for this malspam:

  • American Airline e-tickets
  • Charge for driving on a toll road
  • FedEx delivery notification
  • IRS tax refunds
  • Notices to appear in court

The ones we've discovered so far have all been plain-text messages with zip attachments containing .js files.  They're fairly easy to identify.


Shown above: A list of some .js malspam caught by our spam filters during the past few days.

Below are screenshots showing some of the themes we saw from this malspam during the past week:

We gathered eight malspam examples from the past few days.  Details follow: 

Date: Thursday, 2015-09-08 11:44 UTC
From: E-ZPass Manager ( arnold.savage@199.195.117.231.static.a2webhosting.com )
Subject: Payment for driving on toll road, invoice #00000893738
Attachment: E-ZPass_00000893738.zip - MD5 hash: 687141bd2a548889cd2cd7c59c5cd425
Extracted file: E-ZPass_00000893738.doc.js - MD5 hash: e1d4b1ec9717ae9aed02c1c5395ffc1b

Date: Tuesday, 2015-09-08 23:38 UTC
From: FedEx Ground ( armando.madden@liastudio.ru )
Subject: Courier was unable to deliver the parcel, ID00524666
Attachment: Delivery_Notification_00524666.zip - MD5 hash: 06868d58f113c9b746acfbf51b25b1a8
Extracted file: Delivery_Notification_00524666.doc.js - MD5 hash: 1ad9f4f8e051fa5bada2c1b57dbc5c24

Date: Thursday, 2015-09-10 07:45 UTC
From: District Court ( glen.bartlett@judcred.org.br )
Subject: Notice of appearance in Court #00000516375
Attachment: 00000516375.zip - MD5 hash: 2403b4b255ca3b84e0ff4fd43b8b6c99
Extracted file: 00000516375.doc.js - MD5 hash: 06b5e08e8c943d8440baf4148bd2b14f

Date: Saturday, 2015-09-12 21:52 UTC
From: America Airlines ( orders@aa.com ) - spoofed sender
Subject: Ticket information regarding your order #000735142
Attachment: 00735142.zip - MD5 hash: 85605e67e3afdfc2b9d8d0864b1f0891
Extracted file: 000735142.doc.js - MD5 hash: b4a2d86ee289780ea42882bdcfbf22c8

Date: Monday, 2015-09-14 23:15 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: New payment for tax refund #0000333948
Attachment: Refund_Payment_Details_0000333948.zip - MD5 hash: 54f889567831ed6ae987ef7afb225796
Extracted file: Refund_Payment_Details_0000333948.doc.js - MD5 hash: 733d87c6703bcaf2639a08bb7a011e3e

Date: Tuesday, 2015-09-15 06:03 UTC
From: ( quadernc@webhosting1100.interserver.net ) on behalf of Internal Revenue Service ( office@irs.gov )
Subject: New payment for tax refund #000346071
Attachment: Refund_Payment_Details_000346071.zip - MD5 hash: 774e8165338e3d06b7bf192951308148
Extracted file: Refund_Payment_Details_000346071.doc.js - MD5 hash: 5483e0b8a4ef2ade0f5b1e0d085ef2a3

Date: Tuesday, 2015-09-15 11:20 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: Payment for tax refund #000200199
Attachment: Tax_Refund_000200199.zip - MD5 hash: 652a1bf18ef1a914cbbe91fde63c98d6
Extracted file: Tax_Refund_000200199.doc.js - MD5 hash: ec3de6bcb421d482242d95b055f49ce0

Date: Tuesday, 2015-09-15 13:03 UTC
From: Internal Revenue Service ( office@irs.gov ) - spoofed sender
Subject: Payment for tax refund #00000106406
Attachment: 00000106406.zip - MD5 hash: 079c91fce37f0b2ec37178795455e43a
Extracted file: 00000106406.doc.js - MD5 hash: 0835c11379f639ec460bce73703cfe3a

The attachment

Extract the .js file from the zip archive, and you'll still find highly-obfuscated javascript.  Just like last time, this is merely a javascript-based file downloader.

We executed several of the .js files on a Windows host so we could find URLs for the follow-up malware.  Below is a Wireshark display of traffic we generated.

IP addresses and domains hosting the follow-up malware were:

  • 64.239.115.111 - 64.239.115.111 (no domain name)
  • 67.195.61.46 - ayuso-arch.com **
  • 66.147.242.176 - bisstt.com
  • 199.175.49.19 - crossfitrepscheme.com
  • 72.20.64.58 - dickinsonwrestlingclub.com
  • 174.36.231.69 - dominaeweb.com
  • 96.31.36.46 - idsecurednow.com
  • 50.116.104.205 - ihaveavoice2.com **
  • 208.43.65.115 - laterrazzafiorita.it
  • 76.74.242.190 - les-eglantiers.fr
  • 23.91.123.160 - leikkihuone.com
  • 174.137.191.22 - selmaryachtmarket.com **
  • 69.89.31.73 - syscomm.smartlanka.net

NOTE: Domains with ** hosted malware for other .js malspam as noted in our previous diary covering this subject on 2015-07-29.

The traffic

We infected a Windows host in a lab environment with the most recent sample of .js malware, 00000106406.doc.js (MD5 hash: 0835c11379f639ec460bce73703cfe3a).  This provided a full infection chain of traffic.  Like last time, three .exe files were downloaded by the .js file.  Post infection traffic triggered alerts for Corebot, Miuref/Boaxxe, and Kovter.B malware.


Click on the above image for a full-size view.

Below are alerts on the infection traffic using Security Onion with the EmergingThreats signature set.

HTTP GET requests for the three .exe files happened first.  All were identified as .gif images in the HTTP response headers, but they were clearly executable files.  

Feel free to dig into the traffic for more details.  A link to download the pcap is included in the final words for this diary.

The malware

Below are samples of .exe files downloaded to our infected lab host:

File name:  2015-09-15-js-malware-first-download.exe

  • File size:  305.0 KB ( 312,360 bytes )
  • MD5 hash:  41959be39cf634fa4344396940d680c7
  • SHA1 hash:  a4c6b301e62a67ba28d2ae4347093c80c25dac89
  • SHA256 hash:  462a93d028eca2e116cf8818f6b299adba372895eeffb71f7ffbd95347f939fe
  • Detection ratio:  12 / 56
  • Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

File name:  2015-09-15-js-malware-second-download.exe

  • File size:  127.6 KB ( 130,680 bytes )
  • MD5 hash:  56451b5b6ff6f9cbfeb221b80943f75f
  • SHA1 hash:  298bc25dc9a55590ae002b255b384c478163d0c8
  • SHA256 hash:  853b50ac132100c8176229d5144716b8b86033293bce4064ecfd7107cea8e3ec
  • Detection ratio:  0 / 56
  • Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

File name:  2015-09-15-js-malware-third-download.exe

  • File size:  453.5 KB ( 464,384 bytes )
  • MD5 hash:  6b83ab0582fb59e89c090ec91b31db7a
  • SHA1 hash:  06a8713fe2dacfc0d59345b0a3317154a961a68b
  • SHA256 hash:  d567404c7ec78e23a5661fbc242d15107f9327a810ffc241c338e39487448979
  • Detection ratio:  3 / 56
  • Virus Total link  -  Malwr.com link  -  Hybrid-analysis link

Final words

We haven't noticed any significant change after comparing this malspam to our previous diary about it on 2015-07-29.  Assuming people continue to get infected by the malspam, we will likely continue to see it caught by our spam filters.  

Most spam filters prevent these messages from getting to their intended recipients, but filters are never a full-proof method.  As botnets continue trying to flood the world's inboxes with malicious content, we should always remain aware of the current threat landscape.

Below are links for the associated files.

A .csv spreadsheet with some dates, times (CDT), senders, and subject lines of the malspam for this diary:

A zip archive containing eight sanitized examples of the malspam (.eml files) used for this diary:

A pcap of the 2015-09-15 infection traffic:

A zip archive of the associated malware:

The zip archives are password-protected with the standard password.  If you don't know it, email admin@malware-traffic-analysis.net and ask.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/

Keywords:
10 comment(s)

Comments


Diary Archives