Check Point Threat Alert: Ransomware Campaigns Using .JS Inside Archives
Recently there is noticeable increase in using JavaScript files inside archives as a means to avoid detection in ransomware campaigns. The campaigns, which distribute various ransomware payloads, generate thousands of spear phishing emails with a demand for payment within 48 hours. These phishing emails include attached archive files (zip / rar) which contain malicious JavaScript code.
Description
- Check Point analysts have identified several spear-phishing campaigns which use JavaScript inside archive files.
- The email messages have typical subject lines (e.g., “recent bill” or “payment confirmation”) and similar content which differs only by the username of the addressee and the position/organization of the “sender.”
- The targeted users are encouraged to open the attached archive which contains a malicious JavaScript file.
- Once the victim opens the JavaScript file, an executable file is downloaded and executed, infecting the victim’s computer with ransomware.
- Some of the JavaScript files observed in a specific campaign were verified as downloading Locky payloads from hardcoded URLs.
- Many archive files (in some cases ZIP files are in fact disguised RAR archives) are intentionally truncated or corrupted, probably to disrupt protection mechanisms.
- Check Point’s IPS protections detect such truncated and corrupted archives as well.
Check Point Protections
- Check Point IPS blade now includes the following protection which identifies and blocks such mails:
- Check Point SandBlast protects against this attack by enabling the block zip content feature
- Suspicious Mail Attachment Containing JavaScript Code
- Mail attachments containing JavaScript code were observed as part of various phishing campaigns. A remote attacker could send e-mails including those files and convince users to manually trigger their execution. This would allow the malicious code to run and infect the target system.
Campaign Screenshots
- The screenshots below display all parts of a typical campaign including:
- Spear Phishing Mail
- Zip file with .JS content
- Similar JavaScript in a specific campaign
- JavaScript attempt to avoid detections
- Locky download URL
- Logs of Check Point’s IPS Protection block a spear phishing campaign
You may also like
Cyber Criminals Exploit Pope Francis Death to Launch Global Scams
Following Pope Francis’ death, as is common with global events ...
Securing the Hybrid Workforce in the Age of AI: 5 Priorities for 2025
Generative AI is transforming the modern workplace. It offers new ...
The State of Ransomware in the First Quarter of 2025: Record-Breaking 126% Spike in Public Extortion Cases
Key Findings The number of publicly-mentioned and extorted victims in ...
Microsoft Dominates as Top Target for Imitation, Mastercard Makes a Comeback
Phishing attacks are one of the primary intrusion points for ...