1

I'm a Linux guy trying to understand how a Windows machine got infected with ransomware. The victim got a phishing mail with a zipfile, the zipfile contains an obfuscated javascript, the script appears to download a malicious executable using MSXML2.XMLHTTP and then somehow transfers control to it with WScript.Shell

My question is how could this work without the user seeing any alerts or confirmation boxes (maybe he did and clicked past). Would it only work in Internet Explorer, or only on an unpatched machine, or is is a more general attack that would work in Firefox or Chrome.

The javascript code is at http://andrew.triumf.ca/invoice_scan_A0FPqn.js.txt From my attempts to understand it with "node debug", the malware URLs are now offline, but it did work on Feb 25 and did infect a machine with teslacrypt.

Andrew Daviel
  • 29
  • 5
  • I only have partial packet capture, so don't have the full download. It was probably as per https://www.urlquery.net/report.php?id=1456545907161 from 173.82.74.197 – Andrew Daviel Feb 28 '16 at 06:43

1 Answers1

1

This is work in progress, but here's what I've found.

It relies on WScript which probably gives it access to much lower components, so it's possible to actually run a file. See this from Wikipedia:

Windows applications and processes may be automated using a script in Windows Script Host. Viruses and malware could be written to exploit this ability. Thus, some suggest disabling it for security reasons.[6] Alternatively, antivirus programs may offer features to control .vbs and other scripts which run in the WSH environment.

The script opens files two different URLs (possible the same file, the other URL serving as a backup only) and WScript takes over then and runs the files, infecting the machine (see below). The files are now unavailable as you said (I've still omitted the full URLs), so I cannot reverse-engineer them, but if you have a copy somewhere, I'd like to take a look some time. Anyway, these are the WScript calls I've found:

  • CreateObject WScript.Shell
  • CreateObject MSXML2.XMLHTTP
  • CreateObject ADODB.Stream

The last one reads the binary from the URL as a stream and this line: 

petulantWGq[bestowIgX([ 189, 171, 187, 128 ])](commissionE3a + Math.pow(2, 22));

calls the Exec method of the WScript object, which executes the file from the %TEMP% (enviroment variable) directory.

Finally, since it uses WScript, it uses ActiveX, which means definitely Internet Explorer, but it can be enabled in other browsers so I guess pretty much any standard Windows system without a proper anti-malware software could be exploited with it.

Community
  • 1
  • 1
Shomz
  • 37,421
  • 4
  • 57
  • 85
  • 2
    be careful with posting those links, even though they go no where _today_ – Ryan Feb 27 '16 at 21:56
  • @self, you think I should remove them completely? – Shomz Feb 27 '16 at 21:58
  • @approxiblue, thank you, I'll just remove the URLs since they're not relevant, especially if masked. – Shomz Feb 27 '16 at 22:36
  • Thanks. Would the user have had to click past anything, or just double-click the "document" in the zipfile ? From my point of view, as a Linux user and a computer security officer, enabling this kind of thing in a standard internet-facing configuration seems like madness. – Andrew Daviel Feb 28 '16 at 06:47
  • You're welcome. I'm also a Linux guy and I'm not 100% sure about the following, but if I remember correctly it might be even worse: maybe even a single click in the browser would trigger this! It's because the script gets shell access via ActiveX on low IE settings. Definitely madness, see this: http://stackoverflow.com/questions/14044561/is-it-possible-to-run-the-vbscript-file-vbs-from-the-browser (it's VBScript, not WScript, but it's exactly the same concept) – Shomz Feb 28 '16 at 12:41
  • I'll actually try to recreate this when I get a chance. It made me curious, I just can't believe they made it THAT insecure. – Shomz Feb 28 '16 at 12:42
  • 1
    I've tried to recreate it in Vista in a VM. Double-clicking the js file causes IE to download 80.exe with no user prompts. I edited the hosts file to go to my server and download a copy of "calc.exe". But nothing happens - it doesn't seem to run, and I don't see it in %TEMP%. I can get the examples to run in IE from the page you quoted - with IE security set to "low" in "trusted sites" and still get a prompt. See my comment on the original question re. "80.exe" – Andrew Daviel Feb 29 '16 at 08:55