Proofpoint security researchers have been tracking a campaign which involves malicious JavaScripted attachments. The observations suggest that previously unknown volumes of mal-mail have been sent in this campaign – perhaps involving hundreds of millions of messages.
Unfamiliar .js files provide a work around
So the question – why use .js attachments? The answer is simple: users are continually warned not to open doubtful .exe attachments – with good reason. This is simply a new way to market and distribute malware as a work-around for heightened user awareness. JavaScript has only been used occasionally in the past for this purpose, so it provides a new vector of vulnerability for attackers to exploit. Obfuscating the ‘Script, compression and the renaming of extensions also add to this trickery.
Present JavaScript campaign dwarfs other mal-attachments
Brian Burns of Proofpoint explains: “Users have been trained to not click .exe attachments, but many may not know what a “js” file is, or that it can be just as dangerous. The icon looks like a document which is somewhat confusing. In other cases, the attachments have their extension renamed to look like a legitimate file type, even though Windows correctly executes the JavaScript...” The figures collected by Proofpoint show that JavaScript mal-messages outnumber all other malware attachments by peaks of 4 – 8 times the number.
J/S – an Ace-in-the-hole for the criminals?
Proofpoint state that these the largest campaigns they have seen in recent years and must employ large-scale botnets to work. Although these networks are global, the company observe the majority of traffic as originating in Vietnam and India, based on the I.P addresses of the sent malware. JavaScript extensions have been used in a small number of banking and ransomware attacks: the Dridex banker-trojan, and TeslaCrypt and CryptoWall. These however were very specifically targeted attacks, suggesting that malware developers have been keeping this method in reserve as an ace-in-the-hole.
The Big concern
The security companies main concerns are firstly that this massive (perhaps unprecedented) campaign maximizes the criminals’ chances of finding poorly informed staff – and infiltrating under-secured networks. And this is reinforced by the fact that JavaScript does not (like .exe files) automatically produce a malicious-macro warning for the user. The other big problem is that these attachments are self-executing and do not require the extra click to enable them.
In light of this massive new launch, it’s import to use the best security solutions available for threat detection. And vital to get the word out to staff of companies and organizations that Word is not the only delivery method for malware. It’s worth remembering that any language can be used: either to write a love-letter – or to curse!
