JavaScript Malware Gets a New Look

Since at least December 2015, JavaScript has been a popular attack method for email malware. The most common distribution method was as a heavily obfuscated JavaScript file inside of a ZIP file and outbreaks of this sort peaked during spring and early summer of 2016. Recently this sort of attack has subsided greatly and older-style Microsoft Word documents (OLE-encoded) with macros have seemed to become the preferred delivery method of email-based malware.

Recently, however, some malware samples were brought to my attention that were quite unique and yet all-too-familiar upon analysis. They were the newer OOXML version of Microsoft Word documents (commonly seen with the docx file extension, as they were in this case). As this file type is basically a ZIP file containing various other files, including XML as the type suggests, it was easy to extract the files and take a look. To my surprise, no macros were present in the document. In fact, the only noteworthy files were two OLE-encoded files which are most commonly used for embedding content from a different Microsoft Office application, such as a chart from an Excel spreadsheet. Using a common tool for analyzing OLE files on the first and larger of the two files led to an interesting find: something very reminiscent of our old friend, JavaScript.

From here I was able to dump the particular file from its OLE container and strip out the extra metadata to take a look at the payload, which was in fact more heavily-obfuscated JavaScript code.

(Click here for a larger version of this image)After a bit of work de-obfuscating the code I was able to take a look at the payload, which was a standard downloader Trojan leveraging WScript to download the primary payload to a temporary file and execute it. Unfortunately the primary payload was already unreachable, but Trojans of this sort can and do deploy all sorts of different payloads from viruses and worms to ransomware .

The JavaScript payload itself was hidden in an OLE object with a PDF icon, implying that double-clicking the icon will download a PDF. Instead, this opens a prompt to execute the JavaScript, which will infect the user’s computer when run (assuming the user is running Windows). The script even seems to have a safeguard in case the necessary WScript feature is allowed to execute an improper command, possibly an attempt to circumvent some of the malware analysis engines out there that may be more forgiving in what code they will allow to be executed since errors may prevent as much behavior as possible from being captured.

There are few things make this particular malware unique and more dangerous than many others currently being distributed. First, while still the same JavaScript payload, the use of more reputable Microsoft Word documents (because let’s face it, who really sends around compressed JavaScript files) makes for a file that will seem a lot more “safe” to many users. The lack of macros also adds to this false sense of security since macros are the most common and well-known form of malware within Microsoft Office files. Finally, since this file requires user interaction to execute the malicious payload, many of the advanced threat solutions out there such as sandboxing may likely miss the threat.

The use of Word documents and lack of macros make this malware unique and more dangerous than others that are out there today.Click To Tweet

Fortunately for Barracuda Essentials for Email Security and Barracuda Essentials for Office 365 users, Barracuda’s Advanced Threat Detection is able to detect this threat, which may become a widely used attack in the near future given its potential for evading detection. While using social engineering to get users to execute malware is always a gamble on the author’s part, in the case of email, just getting the file onto a user’s computer is likely enough to greatly increase the odds that they will also execute it. Additionally, many macro-based malware already count on this by requiring user action to run the macro in exchange for decreased detection by antivirus solutions looking for auto-executing macros.

Jonathan Tanner is a Software Engineer in our Campbell office. Connect with him on LinkedIn here.