SANS ISC: Spam with Obfuscated Javascript

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

We all receive spam of all kind, some with malicious URL and other with strange files attachments. This week we have been receiving several java scripts as email attachments and most of them with malicious intent. I picked one of the many files received and (after unzipping the file twice) checked the MD5 hash in Virustotal, this file was never submitted. The script is well obfuscated but after submitting the sample to Virustotal, it shows this javascript as JS/Nemucod and is used to download ransomware and information stealing malware.

5042.js Javascript Partial Snapshot

Using this javascript beautifier[5], it help make some sense of what this script is attempting to do. It is now much easier read the script and see the variables:

Some ways to protect against malicious email attachments:

- First step is to verify what your organization allows through the enterprise anti-malware gateway
- Delete or report to the security team any attachments which contains .exe but there are other files that can be malicious such as  .bat, .cmd, .com, .cpl, .hta, .jar, .js, .msi, .pif, .reg. This list is not exhaustive
- Office or PDF documents received from unknown senders, they could contain malware
- Fake extensions or "double extensions" (i.e. .exe.jpg)

Last, obviously, nothing is foolproof, if unsure ask your security team to check the file.

[1] https://www.virustotal.com/en/file/1f7b32e6db703817cab6c2f7cb8874d17af9d707ce17579dc30aee2cdadf082f/analysis/1472406596/
[2] d4f9a9841d0b369dfe1a9a7f2f71a14e  crlxa15dd4e.zip
[2] d1c5211c76b35b1bbc1b51b36a34228d  5042.zip
[3] 8f690b5b5e2be8d242bf48dad4e2038e  5042.js
[4] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
[5] http://jsbeautifier.org/
[6] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu