A trip through the spam filters: more malspam with zip attachments containing .js files, (Fri, Feb 5th)

Introduction

I was discussing malicious spam (malspam) with a fellow security professional earlier this week. He was examining malspam with zip attachments containing .js files. This is something Ive covered previously in ISC diaries [1, 2]. However, the traffic patterns he saw was somewhat different than Ive seen, so I figured its time to revisit this type of malspam.

Details

This particular wave of .js malspam started on Wednesday 2016-02-03, and these emails were reported by My Online Security the same day [3]. " />

I found 13 messages with the following subject lines during the past two days:

• Problem with the Order, Reference: #117931
• Problem with the Order, Reference: #469155
• Problem with Your Order, Reference: #543361
• Problem with Your Purchase, Reference: #629146
• Problem with Your Purchase, Reference: #913251
• Problems with the Purchase, Reference Number #568643
• Problems with Your Purchase, Reference Number #199837
• Problems with Your Purchase, Reference Number #797440
• Problems with Your Purchase, Reference: #113736
• Troubles with the Order, Reference: #719684
• Troubles with the Purchase, Reference Number #459991
• Troubles with the Purchase, Reference Number #529057
• Troubles with Your Order, Reference: #987848

Attachments names were different for each of the 13 messages:

• Ali Washington.zip
• Cary Harris.zip
• Dino Hayden.zip
• Garth Porter.zip
• Hans Fitzgerald.zip
• Harold Walter.zip
• Leonel Mcneil.zip
• Marc Harding.zip
• Nickolas Baldwin.zip
• Romeo Wright.zip
• Stanley Floyd.zip
• Ted Fields.zip
• Ward Shea.zip

Each of the attachments were zip files that contained a .js file. " />

The script in these .js files is highly-obfuscated. however, I prefer to execute the .js files and see where the traffic takes us.

Traffic and malware

Each of the scripts tried to download and execute three malware items. " />

script.php_wndz1.jpg - 255.5 KB (261,632 bytes) - File type: Windows EXE

• Hybrid-analysis.com link
• Virus Total link

script.php_wndz2.jpg - 159.5 KB (163,328 bytes) - File type: Windows EXE

• Hybrid-analysis.com link
• Virus Total link

script.php_wndz3.jpg - 84.5 KB (86,528 bytes) - File type: Windows EXE

• Hybrid-analysis.com link
• Virus Total link

Based on the callback traffic reported on the first sample, that file appears to be CryptoWall. I havent had the time to dig into the other two items.

Final words

The malspam and malware samples can be found here. My thanks to Chris, who emailed me about this most recent wave of malspam.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://isc.sans.edu/forums/diary/Malicious+spam+continues+to+serve+zip+archives+of+javascript+files/19973/
[2] https://isc.sans.edu/forums/diary/Malicious+spam+with+zip+attachments+containing+js+files/20153/
[3] http://myonlinesecurity.co.uk/congratulations-your-order-has-been-shipped-out-parcel-441467-js-malware/
[4] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.