Newly Found Interfax Themed JavaScript Malspam

By Steven Weinstein

The LookingGlass Cyber Threat IntelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... Group (CTIG) observed a malspam campaign attempting to convince users they had received an incoming Internet fax. The attached fax “document” is actually a malicious obfuscated JavaScript file (MD5: 2EAC091DA007E486ADC524DDEC858D90) acting as a downloader for additional malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs.. Below is the content of the email:

Simply double clicking the JavaScript file is enough to set off the infection chain. Below is a screenshot of the obfuscated JavaScript:

blog2

After simple deobfuscation:

blog1

As we can see in the deobfuscated JavaScript above, an ActiveX stream is created to store the downloaded contents from three possible payload locations. The script will try each payload location in the list until a successful download. In our case, those locations were:

hxxp://laurenszedlak[.]com/counter/?id=55515D5E070B0A10050710111724091D07050A0D0A01140116020B1609050A07014A070B095E305E0108070B0A0005000B000108030B08024A070B095E17555E555050515D55515250515E55&rnd=5588561
hxxp://weborizeit[.]com/counter/?id=55515D5E070B0A10050710111724091D07050A0D0A01140116020B1609050A07014A070B095E305E0108070B0A0005000B000108030B08024A070B095E17555E555050515D55515250515E55&rnd=5588562
hxxp://abama[.]org/counter/?id=55515D5E070B0A10050710111724091D07050A0D0A01140116020B1609050A07014A070B095E305E0108070B0A0005000B000108030B08024A070B095E17555E555050515D55515250515E55&rnd=5588563

It is believed that the attackers randomize the filenames and random digits in the payload URI in order to create unique JavaScript files per victim in order to evade traditional signature detection by hash.

The first payload location was no longer serving malware, but the second and third locations were actively distributing malware at the time of this writing: DB8BCD3EA3F538BA8E685DB017C9417E (16/56 on VirusTotal) and 2EED0E65AE1FCA2E9C0D3902211AC832 (5/56 on VirusTotal) respectively.

If a download is successful, the PE (portable executable) file is then written to disk in the %TEMP% directory with filename 8949702.exe or 8949703.exe (the one that was not able to be retrieved would have been 8949701.exe), and then executed.

Upon execution of 2EED0E65AE1FCA2E9C0D3902211AC832, the following network indicators were observed:

pomppondy[.]net (5.230.4[.]28:80)
POST /gate/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pomppondy[.]net User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Length: 8

i4uvsr74mnm8a.ddns.net (54.148.180[.]204:80)
GET /verify HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: i4uvsr74mnm8a.ddns[.]net User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

DNS requests for the following Dynamic DNS domains were also observed (none resolved):

1pgrefelmhixi4ijyfg.ddns[.]net
qbe83twp3b3jar1.ddns[.]net
sdodkh7dylovonq.ddns[.]net
ifmvy0charw6aba8ovat72w.ddns[.]net
o4khgtk27hmnwfm.ddns[.]net
1doxk05ny21dqlu.ddns[.]net
e0e034srifsv7jwnclylyxe.ddns[.]net
i634e65hqxk2gbw.ddns[.]net
q4a0etg4k6cx3fq.ddns[.]net
sbgvq85tw836cfejyd1.ddns[.]net
mn3pi2cdoryj3r5.ddns[.]net
cxkteleve2spunchyf7tmjc.ddns[.]net
sjq8ojkx36w2a6krs8ivyhc.ddns[.]net
3nujqvw0mdon5hsfs8i.ddns[.]net
3ns6mhelydmha2gd1d7.ddns[.]net
qteps4mpw4a63rsvgdm.ddns[.]net
gju2ypspmtqjy4sp16e.ddns[.]net
qtu8stcvs2a0qbypsn1n70q.ddns[.]net
c2m07n3pofm6w2m.ddns[.]net
gn14mjwdursvcdkvq4g.ddns[.]net
q63hclotct7bm6enoto.ddns[.]net
ax74it3delixkxk8c8a8cb3.ddns[.]net
a010g0s05fa0c6g.ddns[.]net
utgbufmrsfsrsradmfq.ddns[.]net
74il3nubmhkf50w.ddns[.]net
orkna8k6adwn1ru8qx7xal3.ddns[.]net
w4kjef7v7bu6etgdcd1b3tu.ddns[.]net
kxo6ejyfepo6irs.ddns[.]net
etclq8ytufmpcrabs25vi6m.ddns[.]net
i4uvsr74mnm8a.ddns[.]net
56afktq0k8mns2701r7.ddns[.]net
kdoda0k0s6y85hy.ddns[.]net
i05pe0w0ilmhe2kdg8a.ddns[.]net
exqf143fu6g0iduhi6u.ddns[.]net
ynw230a4k0oj5xo61tm.ddns[.]net
ixalu2klwdupk0er7fg.ddns[.]net
14otktqt5dmnet3bgbm.ddns[.]net
wbkr7nobe650c4kdghuv7lk.ddns[.]net
mjaf5ty2mbk47vs2afy.ddns[.]net
76qbuvwh5bmr7peni4e.ddns[.]net

Full behavioral analysis of the file can be seen at the link below:
https://www.hybrid-analysis.com/sample/ce925e53628cbd2ae02ad3170be25433e19ad49270ad60ed49e3244901037dc0?environmentId=4

Malspam campaigns using malicious JavaScript as attachments are fairly common. The LookingGlass CTIG last observed a campaign of this nature in late June and early July 2015 when malicious JavaScript was attached to a Fedex themed campaign. The JavaScript in this instance also utilized ActiveX streams, and similar code and obfuscation techniques.

Additionally, LookingGlass ScoutVision has observed 54.148.180[.]204 intermittently acting as a C&C server as early as August 10, 2015, and 5.230.4[.]28 also as a C&C as early as October 16th, which is the same date that DNS requests for pomppondy[.]net were first observed.

Recommended Action: LookingGlass recommends blocking all of the above domains and IP addresses.

Additional Posts

Special Report Excerpt: Physical Threats to the G20 Leaders’ Summit 2015

By Hans Mathias Moeller The following blog post is an excerpt from our upcoming special report, G20 ...

LookingGlass Weekly Threat Intelligence Brief: October 27, 2015

We publish this weekly threat intelligence brief keep you informed on the latest security ...