Ransomware that’s 100% pure JavaScript, no download required

Aug 24, 2016

An intriguing new ransomware sample dubbed RAA

Here’s why.
Ransomware, like any sort of malware, can get into your organisation in many different ways: buried inside email attachments, via poisoned websites, through exploit kits, on infected USB devices and occasionally even as part of a self-spreading network worm.
But email attachments seem to work best for the cybercrooks, with fake invoices and made-up court cases amongst the topics used by the criminals to make you think you’d better open the attachment, just in case.

In 2015, most ransomware arrived in Word documents containing what are known as macros: script programs that can be embedded in documents to adapt their content in real time, usually as part of your company’s workflow.
The problem with macros, however, is that they aren’t limited to adapting and modifying just the document that contains them.
Macros can be full-blown programs as powerful as any standalone application, and they can not only read and write files on your C: drive and your local network, but also download and run other files from the internet.

In other words, once you authorise a macro to run, you effectively authorise it to install and launch any other software it likes, including malware, without popping up any further warnings or download dialogs.

You can see why cybercrooks love macros!

Fortunately, macros are turned off by default, so the crooks have to convince you to turn them back on after you open their malicious documents.

The switch to JavaScript

By the start of 2016, many crooks were steadily shifting their infection strategy as the world began to realise that enabling macros was a really bad idea.

These days, a lot of ransomware arrives in JavaScript attachments.

In case you’re wondering why anyone would open a .JS file that was pretending to be a document, remember that:
• Windows doesn’t show file extensions by default. So a file called Invoice.txt.js shows up as the altogether more believable Invoice.txt.
• Windows uses ambiguous imagery to denote .JS files. Scripts appear with an icon looking like a scroll of parchment, making them look like documents instead of programs. (See below.)

Usually, the malicious JavaScript connects to a download server, fetches the actual ransomware in the form of a Windows program (an .EXE file), and launches it to complete the infection.

That’s not all they felt a free one

Most ransomware attacks we’ve seen in the last few years have started by scrambling your files, and finished by unscrambling your files once you’ve paid up.
In other words, the cybercrime component was all about squeezing you to pay the ransom, with the ransomware aspect essentially being the beginning and the end of the crime. After decrypting your files and making sure that the ransomware program has been removed so it can’t accidentally strike again, the theory is that you’re back where you were before the attack started.

But JS/Ransom-DDL is interestingly different, because it deliberately installs a secondary malware infection: a password stealer blocked by Sophos products as Troj/Fareit-AWR.

This Fareit infection isn’t downloaded; instead it is encoded using base64 into a JavaScript string that is stored inside the ransomware file, and installed as a parting gift by the ransomware.

The program code that drops the Fareit file onto your hard disk and launches it is deliberately obscured by encrypting it with AES, using a decryption key stored inside the malware:

No comments

You must be logged in to post a comment.