JavaScript-toting spam emails: What should you know and how to avoid them?


We have recently observed that spam campaigns are now using JavaScript attachments aside from Office files. The purpose of the code is straightforward. It downloads and runs other malware.

Some of the JavaScript downloaders that we’ve seen are:

The same JavaScript downloaders are also responsible for spreading the following ransomware:

The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript. The JavaScript attachment mostly has the following icon, depending on the system’s script software. The file names are either related to the spam campaign, or completely random:

JS1

Figure 1: Examples of JavaScript attachments from spam email campaigns

Not your favorite Java

Just like a typical email campaign, the JavaScript-toting spam finds its way in your PC after a successful social engineering trick. In bag of tricks are attachment file names intentionally crafted to pique any person’s curiosity (finance-related, etc.).

The JavaScript attachments are heavily-obfuscated to avoid antivirus software detections. It consists of a download and execute function paired with one or two URLs hosting the malware.

JS2

Figure 2: Sample code and URL

 

JS3

Figure 3: Another code sample

 

JS4

Figure 4: Another code sample

 

JS5

Figure 5: Another code sample

 

In some cases, the malicious JavaScript attachment is bundled with a dummy file to evade email rules.

JS6

Figure 6: An example of a JavaScript attachment and a dummy file

 

JS7

Figure 7: Another example of a JavaScript attachment and a dummy file

 

These URLs are mostly short-lived. But when successfully downloaded, the malware, in this case Ransom:Win32/Locky, enters the system and proceeds in its destructive mission.

It is interesting to note that an Office attachment with malicious macros typically requires two or more clicks on the document to run it. One click to open the document, and another click to enable the macros.

On the other hand, the JavaScript attachments only takes one or two clicks for it to start executing.

It is uncommon and quite suspicious for people to send legitimate applications in pure JavaScript file format (files with .js or .jse extension) via email. You should be wary of it and should not click or open it.

 

JS8

Figure 8: A screenshot of how the JavaScript attachment gets executed.

 

Same stuff, new package

It has been a common vector for malware to spread through email attachment. In the past months, we have seen Office file attachments that contains malicious macro. The code is simple and straightforward, it’s main objective is to download and execute other malware, such as password stealers, backdoors and ransomwares.

The JavaScript-toting email spam is no different.

These malicious email attachments are distributed through spam campaigns. Spam campaigns range from different social engineering areas that appeal to people’s curiosity – enough for them to take action and click what shouldn’t be clicked: from finance-related subjects like receipts, invoice and bank accounts, to resumes and shipment notifications.

 

JS9

Figure 9: A screenshot of a sample bank-related email spam.

 

JS10

Figure 10: A screenshot of a sample remittance-themed email spam.

 

JS11

Figure 11: A screenshot of a sample invoice-themed email spam.

 

JS12

Figure 12: A screenshot of a sample resume-themed email spam.

 

JS13

Figure 13: A screenshot of a shipment notification-themed email spam.

 

JS14

Figure 14: A screenshot of a sample debt case-themed email spam.

Mitigation and prevention

To avoid falling prey from those JavaScript-toting-emails’ social engineering tricks

See some of the related blogs and threat reports:

 

Alden Pornasdoro

MMPC

Comments (19)

  1. adwbust says:

    mmpc always says to keep windows up to date. but windows update is broken nowadays! its been 4-5 hrs now and vista has yet to finish checking for updates! i last updated this in october of 2015! this windows update behavior is contrary on how to keeps PCs safe! mmpc and the windows update team are clashing! how would someone be motivated to update if checking for updates takes hours! they should fix this! updating has been really a PITA which isnt in the past. someone needs to get fired!!!

  2. adwbust says:

    I updated to 4.9.218.0 using offline installer/setup upgrade. I’m disappointed. During upgrade, I was asked to join Customer experience improvement program (ceip). I did. After install, I checked mse > about and I’m not joined to ceip. I try to join and got a uac prompt which I allowed. I checked again and still not joined to ceip!!! This bug was also present in 4.8! Still not fixed in 4.9!

    4.8 maps was set to advanced. After upgrade to 4.9, maps was re-set to basic. Tsk.

    That Administrator setting to detect/warn about pua/spy threats is out of place and should be labeled correctly. Transfer that to settings > advanced as warn and remove ad/pup/pua/spy threats option.

    I’m on windows 7 x64.

  3. adwbust says:

    what is this new PUA detection? detection based on publisher? wouldn’t that make definitions redundant and cluttered? you have pua and bundler classification for prepscram. isn’t potentially unwanted = adware/bundler/fakeapp/fakecleaner? isn’t potentially unsafe = hacktools/POCs?

    when mse deems a pe file suspicious, it sends a copy to lab. but the important question is, if user runs it, does mse block it or at least prompt/warn user? mse is too passive and laidback. its like you suspect someone being robber but still let him enter your house.

  4. What if I do not have Advanced Threat Protection ?
    Are these kinds of threats detected by regular Office365 protection ?

  5. a says:

    If you want people to look at file extensions, you should stop hiding file extensions as default Windows behavior.

  6. adwbust says:

    hey mmpc, can you pls take a look at SubmissionId=09004f70-c23c-4632-84ce-0e0c6ba5c1bd description/additional info?

    there’s a flaw/bug in mse 4.9.218.0 real-time guard on vista x86. pls fix it!

    1. Lani Osi says:

      Count me to this one with the current and previous as of today’s – Win Def won’t run at all – it splutters!

  7. ThatGirl-007 says:

    running win 8.1/64 bit and cannot find anything about applocker- seems article was written for win 7. I do not understand this at ALL. Is there something more relevant to Win 8.1? That a general user could understand? My Admin tools does NOT have Applocker Group Policy or Group Policy Editor at all…

  8. on xp windows update installs security essentials which then can’t download updates (tells you about issue with network connetion), then you get the offline updater which says it’s not a valid win32 executable???

    not that clever to make all those XP machines out there that have (or get) security essentials into zombie-targets that then attack other machines

  9. Java is not Javascript, why mix them in that section header caption?

  10. adwbust says:

    mse 4.9.218.0 quarantine management is crap. there’s only 1 entry for same detection in quarantine. what if several files were removed and they were identified as same threat? how would i restore? would all files be restored?! i only want 1 file restored. how to restore to a different/custom path?

  11. Lani Osi says:

    W T H? Now Win Def won’t run at all; in fact I have no viruses, Trojans or worms – going beyond all the way to possible skitties? What gives? Since the last two updates – it will not work anymore on Win 8.1 Pro!

  12. tomkatisere says:

    I dropped a java update in my pc on the 28/4/16 now I cant log into yahoo because anther box flashes yellow with a js login run save or cancel cant shift it even tho ive deleted all java out my pc HELP

  13. lee says:

    thanks

  14. ThatGirl-007 says:

    You do not even list the most recent WD Definition file- the most recent I received was 1.219.883.0, released on 5/5/16 AT 2:11AM. It reflects what is shown in Change Log (though that IS rare these days) and NOTHING SINCE. Roughly 24 hours since a definition release?? Windows Defender will not complete accurately on my Win8.1/x64 machine, though my Office 2010 is only the 32-bit version.
    Micro$oft, look at all the security issues unanswered and unresolved in the Community… YOU have let things run lazily for YEARS and now it has caught up with you, ME- i.e.; ALL of your PAID USERS. You do not even identify what Win version this “fix” is supposed to help protect. “FIX” posts show images that look very much like Win7, XP, or even Vista, BUT this is 2016 and I DO NOT have anything related to APPLOCKER on my Win8.1 system, then you go on to offer additional solutions for Win10- WTF are you doing??
    I would very much like to be constructive, but I find NO area in your offerings to support! Frustrated? You bet. While I know better than to click on a .js or .jse attachment in an email (now even .zip or .rar files), and have had Macros disabled in ALL of my Office Products for years, as this ceiling is caving in, your response seems very much like a fully armed guard at the door calmly stating, “get an umbrella, please.” Can’t get downloads of definition files, and can’t run Windows Defender effectively even if I could! If I try to download a new suite of Windows Defender -currently running 4.8.207.1- I get errors that indicate the mbam file is unsafe! Don’t want to run that on my very PROTECTION software! There needs to be a fix, in plain English, Windows version specific, that resolves these issues and those mentioned by others in similar posts here. Else hire some REAL professionals to step in and take over the lax attitude you have been pawning off on us Users for years. Someone who can offer more than an umbrella!

  15. imay says:

    thanks for sharing, like this your post.

  16. helen evans says:

    Remove or delete all java scripts downloaded on my Nokia Lumia 630 in uk

  17. Francis Kim says:

    A good spam filter/anti-virus software should do the trick here, am I missing something?

  18. BGC says:

    My domain is sending this virus, is there anything I can do to stop it?

Skip to main content