Spam with Obfuscated Javascript
We all receive spam of all kind, some with malicious URL and other with strange files attachments. This week we have been receiving several java scripts as email attachments and most of them with malicious intent. I picked one of the many files received and (after unzipping the file twice) checked the MD5 hash in Virustotal, this file was never submitted. The script is well obfuscated but after submitting the sample to Virustotal, it shows this javascript as JS/Nemucod and is used to download ransomware and information stealing malware.
5042.js Javascript Partial Snapshot
Using this javascript beautifier[5], it help make some sense of what this script is attempting to do. It is now much easier read the script and see the variables:
Some ways to protect against malicious email attachments:
- First step is to verify what your organization allows through the enterprise anti-malware gateway
- Delete or report to the security team any attachments which contains .exe but there are other files that can be malicious such as .bat, .cmd, .com, .cpl, .hta, .jar, .js, .msi, .pif, .reg. This list is not exhaustive
- Office or PDF documents received from unknown senders, they could contain malware
- Fake extensions or "double extensions" (i.e. .exe.jpg)
Last, obviously, nothing is foolproof, if unsure ask your security team to check the file.
[1] https://www.virustotal.com/en/file/1f7b32e6db703817cab6c2f7cb8874d17af9d707ce17579dc30aee2cdadf082f/analysis/1472406596/
[2] d4f9a9841d0b369dfe1a9a7f2f71a14e crlxa15dd4e.zip
[2] d1c5211c76b35b1bbc1b51b36a34228d 5042.zip
[3] 8f690b5b5e2be8d242bf48dad4e2038e 5042.js
[4] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=JS/Nemucod
[5] http://jsbeautifier.org/
[6] https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619
-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago