Check Point Threat Alert: Ransomware Campaigns Using .JS Inside Archives
ByGil Sasson, Omer Shliva, Check Point Threat Intelligence & Research
Recently there is noticeable increase in using JavaScript files inside archives as a means to avoid detection in ransomware campaigns. The campaigns, which distribute various ransomware payloads, generate thousands of spear phishing emails with a demand for payment within 48 hours. These phishing emails include attached archive files (zip / rar) which contain malicious JavaScript code.
Description
- Check Point analysts have identified several spear-phishing campaigns which use JavaScript inside archive files.
- The email messages have typical subject lines (e.g., “recent bill” or “payment confirmation”) and similar content which differs only by the username of the addressee and the position/organization of the “sender.”
- The targeted users are encouraged to open the attached archive which contains a malicious JavaScript file.
- Once the victim opens the JavaScript file, an executable file is downloaded and executed, infecting the victim’s computer with ransomware.
- Some of the JavaScript files observed in a specific campaign were verified as downloading Locky payloads from hardcoded URLs.
- Many archive files (in some cases ZIP files are in fact disguised RAR archives) are intentionally truncated or corrupted, probably to disrupt protection mechanisms.
- Check Point’s IPS protections detect such truncated and corrupted archives as well.
Check Point Protections
- Check Point IPS blade now includes the following protection which identifies and blocks such mails:
- Check Point SandBlast protects against this attack by enabling the block zip content feature
- Suspicious Mail Attachment Containing JavaScript Code
- Mail attachments containing JavaScript code were observed as part of various phishing campaigns. A remote attacker could send e-mails including those files and convince users to manually trigger their execution. This would allow the malicious code to run and infect the target system.
Campaign Screenshots
- The screenshots below display all parts of a typical campaign including:
- Spear Phishing Mail
- Zip file with .JS content
- Similar JavaScript in a specific campaign
- JavaScript attempt to avoid detections
- Locky download URL
- Logs of Check Point’s IPS Protection block a spear phishing campaign
You may also like
The Exploitation of Gaming Engines: A New Dimension in Cybercrime
Executive Summary Check Point Research discovered a new technique using ...
Navigating the Evolving Threat Landscape Ahead of Black Friday
As Thanksgiving and Black Friday approach, so do the risks ...
Spotlight on Iranian Cyber Group Emennet Pasargad’s Malware
Executive Summary On October 21, 2024, multiple emails impersonating the ...
Hamas-linked Threat Group Expands Espionage and Destructive Operations
Check Point Research has been monitoring the ongoing activities of ...