Reputation: 29
How does this javascript/WScript launcher work?
I'm a Linux guy trying to understand how a Windows machine got infected with ransomware. The victim got a phishing mail with a zipfile, the zipfile contains an obfuscated javascript, the script appears to download a malicious executable using MSXML2.XMLHTTP and then somehow transfers control to it with WScript.Shell
My question is how could this work without the user seeing any alerts or confirmation boxes (maybe he did and clicked past). Would it only work in Internet Explorer, or only on an unpatched machine, or is is a more general attack that would work in Firefox or Chrome.
The javascript code is at http://andrew.triumf.ca/invoice_scan_A0FPqn.js.txt From my attempts to understand it with "node debug", the malware URLs are now offline, but it did work on Feb 25 and did infect a machine with teslacrypt.
Upvotes: 1
Views: 912
Answers (1)
Reputation: 37711
This is work in progress, but here's what I've found.
It relies on WScript which probably gives it access to much lower components, so it's possible to actually run a file. See this from Wikipedia:
Windows applications and processes may be automated using a script in Windows Script Host. Viruses and malware could be written to exploit this ability. Thus, some suggest disabling it for security reasons.[6] Alternatively, antivirus programs may offer features to control .vbs and other scripts which run in the WSH environment.
The script opens files two different URLs (possible the same file, the other URL serving as a backup only) and WScript takes over then and runs the files, infecting the machine (see below). The files are now unavailable as you said (I've still omitted the full URLs), so I cannot reverse-engineer them, but if you have a copy somewhere, I'd like to take a look some time. Anyway, these are the WScript calls I've found:
- CreateObject WScript.Shell
- CreateObject MSXML2.XMLHTTP
- CreateObject ADODB.Stream
The last one reads the binary from the URL as a stream and this line:
petulantWGq[bestowIgX([ 189, 171, 187, 128 ])](commissionE3a + Math.pow(2, 22));
calls the Exec method of the WScript object, which executes the file from the %TEMP% (enviroment variable) directory.
Finally, since it uses WScript, it uses ActiveX, which means definitely Internet Explorer, but it can be enabled in other browsers so I guess pretty much any standard Windows system without a proper anti-malware software could be exploited with it.
Upvotes: 1
Related Questions
- How do I replace all occurrences of a string?
- How do I make the first letter of a string uppercase in JavaScript?
- How can I validate an email address in JavaScript?
- How can I remove a specific item from an array in JavaScript?
- What does the !! (double exclamation mark) operator do in JavaScript?
- How do I remove a property from a JavaScript object?
- What does "use strict" do in JavaScript, and what is the reasoning behind it?
- How do I include a JavaScript file in another JavaScript file?
- How do JavaScript closures work?
- How to check whether a string contains a substring in JavaScript?