JavaScript Malware Finds New Life

Criminals get creative using malicious JavaScript for profit.

JavaScript has long been used as a vehicle to infect websites, because it’s a programming language that is established as part of the everyday user’s life. Alongside HTML and CSS, it’s considered a core technology for building web content.

But the bad guys are getting creative with this ubiquitous program.  In fact, in mid-2016 word got around about a strain of ransomware coded entirely in JavaScript, hidden in email attachments.

JavaScript used in this manner has been on the rise. Until the end of 2015, most ransomware arrived via email containing Word documents. But more and more, cybercriminals are using JavaScript attachments instead. Because Windows doesn’t show you file extensions by default, users often open a JavaScript attachment thinking it’s a Word or .txt file – not only does the icon (appearing as an old-fashioned scroll) look like a text file, hackers will also add a double extension to malware names (like receipt.PDF.js). Windows suppresses the file extension (.js), leaving .PDF visible to the end user.

This technique, tricking the user into downloading a JavaScript file to their hard disk, is a way to circumvent many of the protections built into most web browsers that mitigate the risks of JavaScript. Windows will block an .exe file, for example, but allow a JavaScript (.js) file to run.

In this recent spate of attacks, JavaScript has been used to encrypt the user’s computer and demand a ransom to unlock the files.

The "drive-by download" attack

JavaScript is virtually unavoidable on the web – as it is built in everywhere (and downloaded automatically by your computer or device), browsing the web today without JavaScript support isn’t really a realistic option. It is used by web browsers to enhance user interfaces and dynamic websites. In other words… it’s everywhere, including not only websites, but frequently in PDFs and desktop widgets as well.

We talk a lot about how to protect our end users and to educate them on safer practices, but the scary part about infected JavaScript is that it doesn’t require any actions on the part of the user to be effective. Malware authors know this, and compromise popular, high-traffic, legitimate websites and redirect users to malicious web pages without the user ever knowing. According to the Naked Security blog, 82% of malicious sites are hacked legitimate sites.

So what happens when a user visits a compromised site?  

Once the user is redirected to the intended malicious web page, the infection process kicks in as further scripts exploit client-side vulnerabilities. The stages of the attack include:

  • Entry Point: Simply visiting a website running malicious code.
  • Distribution: You’re redirected to another site, which is controlled by hackers
  • Exploit: An exploit kit hosted by the site probes your operating system, web browser, and software to find vulnerabilities
  • Infection: The exploit kit downloads its payload, or malware that installs itself on your computer
  • Execution: The malware starts doing what it was built to do, from accessing email accounts to holding your files hostage.

These so called "drive-by downloads" have consistently created a number of security challenges for organizations and end users alike.