Introduction
In January 2015, the Asprox botnet switched from sending malware attachments to spamming pornography and diet-related scams [1]. Since then, weve noticed an increase is a different type of malicious spam (malspam). This malspam haszip attachments containing javascript files (.js), and ituses the same type of subject lines we saw from the Asprox botnet prior to 2015 [1].
We still see malspam using zipped .js attachments. One popular theme with this sort of malspam is fake resumes [2]. A reader sent us an example last week on Friday 2015-07-24 [3]. That exampleinfected a computer with CryptoWall 3.0 when we checked it out in our lab environment.
We saw a different malspam campaign onMonday2015-07-27 deliverKovter and Miuref/Boaxxe.
The malspam
As usual, botnet-based malspam comes from a variety of sources, and it uses variations for the subject line. Theres no easy way to filter your queries when trying to retrieve this sort of malspam. " />
I gathered seven of these malspam examples. Details follow:
Date/time: 2015-07-27 08:28 UTC
From: E-ZPass Manager ( maurice.mccarthy@server.neleryaptik.com )
Subject: Indebtedness for driving on toll road #00383521
Attachment name: Invoice_00383521.zip - 1,834 bytes - MD5 hash: 9225b83e28ee6bc7cd45e99e50848bc6
Extracted file: Invoice_00383521.doc.js - 11,387 bytes - MD5 hash: c4754dadf67b40e96ecf50694d90e9eb
Date/time: 2015-07-27 08:45 UTC
From: E-ZPass Support ( julio.miller@enggdesign.com )
Subject: Payment for driving on toll road, invoice #000460414
Attachment name: E-ZPass_Invoice_000460414.zip - 1,841 bytes - MD5 hash: 509e4f3dd518113e665423d0068f5d7e
Extracted file: E-ZPass_Invoice_000460414.doc.js - 11,709 bytes - MD5 hash: 4750ea90c5c31ab622153025e0537d60
Date/time: 2015-07-27 11:10 UTC
From: E-ZPass Support ( franklin.belcher@whizpress.com )
Subject: Indebtedness for driving on toll road #00000708707
Attachment name: 00000708707.zip - 1,826 bytes - MD5 hash: 25f07fc22952453665a2c1b6deb0b9d8
Extracted file: 00000708707.doc.js - 11,454 bytes - MD5 hash: 1be977c85a8c4fc9ca6b6be0e41510d7
Date/time: 2015-07-27 12:12 UTC
From: County Court ( seth.herring@navratanindia.com )
Subject: Notice to appear in Court #00336511
Attachment name: Notice_to_Appear_00336511.zip - 1,878 bytes - MD5 hash: 9efe9f44061259a53b32758c77ae8772
Extracted file: Notice_to_Appear_00336511.doc.js - 11,208 bytes - MD5 hash: d84a2d821108301077b681f4a93ecefc
Date/time: 2015-07-27 12:32 UTC
From: FedEx Standard Overnight ( eric.bowman@33d33.com )
Subject: Courier was unable to deliver the parcel, ID00888397
Attachment name: 00888397.zip - 1,803 bytes - MD5 hash: 594f788933ab6dc05ffc03f528e11c58
Extracted file: 00888397.doc.js - 11,430 bytes - MD5 hash: 2a90f4866bc98479ab5b0c44c8add551
Date/time: 2015-07-27 12:56 UTC
From: E-ZPass Agent ( sam.hickman@203-189-109-222.virt.lolipop.jp )
Subject: Indebtedness for driving on toll road #00118934
Attachment name: E-ZPass_Invoice_00118934.zip - 1,883 bytes - MD5 hash: d0642234e722f9d9bcd9486c1c6bbb44
Extracted file: E-ZPass_Invoice_00118934.doc.js - 11,973 bytes - MD5 hash: 6af16117fe73ca903884c3684099c695
Date/time: 2015-07-27 14:39 UTC
From: E-ZPass Agent ( marcus.blackburn@sg2nw8shg132.shr.prod.sin2.secureserver.net )
Subject: Indebted for driving on toll road #0000161034
Attachment name: E-ZPass_0000161034.zip - 1,798 bytes - MD5 hash: c616720fa03b0238459830466657e80c
Extracted file: E-ZPass_0000161034.doc.js - 11,064 bytes - MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea
The attachment
Extract the .js file from the zip archive, and youll find a highly obfuscated javascript. " />
Tools like jsdetox can deobfuscatethe scriptfor you. However, you can easily execute the .js file on a Windows virtual machine to find URLs for the malware. " />
The IP addresses and domains hosting the follow-up malware are:
- 209.200.253.29 - avolonage.com
- 67.195.61.46 - ayuso-arch.com
- 205.144.171.10 - brigand-001-site2.smarterasp.net
- 50.116.104.205 - ihaveavoice2.com
- 205.144.171.57 - mes-sy.com
- 67.195.61.46 - mrflapper.com
- 205.144.171.28 - readysetgomatthew.com
- 174.137.191.22 - selmaryachtmarket.com
- 104.28.20.89 - www.alec.gr
The traffic
I infected a Windows host in a lab environment with one of the .js files,E-ZPass_0000161034.doc.js (MD5 hash: 38f27b7a6c36762d75ea858134f3d5ea). This provided a full infection chain oftraffic. Three EXE files were downloaded by the .js file. We then saw HTTP POST requests associated with Kovter malware. Traffic also triggered an alert for Miuref/Boaxxe. Later in the p" />
HTTP GET requests for the three EXE files happened first. All were identified as imagesin the HTTP response headers, but they were clearly executable files. " />
Below is an example of callback traffic from" />
The malware
Below are examples ofEXE files fromthe infected host:
- Kovter - C:\Users\username\AppData\Local\Temp\36140203.exe - 508.1 KB ( 520,246 bytes ) - hybrid-analysislink
- Miuref/Boaxxe - C:\Users\username\AppData\Local\Temp\50728360.exe - 84.0 KB ( 86016 bytes ) - hybrid-analysislink
- Third executable - not found on host - 1.5 KB ( 1536 bytes ) - hybrid-analysislink
A pcap of the 2015-07-27 malspam infection traffic is available at:
A zip file of the associated malware and sanitized malspam examplesis available at:
The zip file is password-protected with the standard password. If you don">Final words
Malspam with zipped .js attachments has continued since I first looked into it earlier this year. Were fairly certain this style of malspam will remain an issue. Most spam filters keep these messages from getting to their intended recipients, but filters are never a full-proof method. As botnets continue to send malicious content to the worlds inboxes, we should always remain aware of the current threat landscape.
---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/
[2] https://www.trustwave.com/Resources/SpiderLabs-Blog/Cryptowall-and-phishing-delivered-through-JavaScript-Attachments/
[3] https://malwr.com/analysis/ODRiNDRlNDIxYmM0NDRmZThjYWExZTI1OGY5MDJkOWU/