Recently there is noticeable increase in using JavaScript files inside archives as a means to avoid detection in ransomware campaigns. The campaigns, which distribute various ransomware payloads, generate thousands of spear phishing emails with a demand for payment within 48 hours. These phishing emails include attached archive files (zip / rar) which contain malicious JavaScript code.
Description
- Check Point analysts have identified several spear-phishing campaigns which use JavaScript inside archive files.
- The email messages have typical subject lines (e.g., “recent bill” or “payment confirmation”) and similar content which differs only by the username of the addressee and the position/organization of the “sender.”
- The targeted users are encouraged to open the attached archive which contains a malicious JavaScript file.
- Once the victim opens the JavaScript file, an executable file is downloaded and executed, infecting the victim’s computer with ransomware.
- Some of the JavaScript files observed in a specific campaign were verified as downloading Locky payloads from hardcoded URLs.
- Many archive files (in some cases ZIP files are in fact disguised RAR archives) are intentionally truncated or corrupted, probably to disrupt protection mechanisms.
- Check Point’s IPS protections detect such truncated and corrupted archives as well.
Check Point Protections
- Check Point IPS blade now includes the following protection which identifies and blocks such mails:
- Check Point SandBlast protects against this attack by enabling the block zip content feature
- Suspicious Mail Attachment Containing JavaScript Code
- Mail attachments containing JavaScript code were observed as part of various phishing campaigns. A remote attacker could send e-mails including those files and convince users to manually trigger their execution. This would allow the malicious code to run and infect the target system.
Campaign Screenshots
- The screenshots below display all parts of a typical campaign including:
- Spear Phishing Mail
- Zip file with .JS content
- Similar JavaScript in a specific campaign
- JavaScript attempt to avoid detections
- Locky download URL
- Logs of Check Point’s IPS Protection block a spear phishing campaign