JavaScript files are criminals’ new weapon to install malware

Digital criminals are using JavaScript codes hidden in plain text documents as the new weapon for installing malware. The practice uses serves as a departure from recent scams, which used Microsoft Office files as a vector that is already starting to become known by security software and network administrators.

The attack has a similar delivery routine, with the crooks using fraudulent emails that carry an attachment responsible for downloading the pest and trying to pass themselves off as business contacts or customers in search of information. They abuse the way Windows displays files of this type, hiding the format, to deliver a TEXT.txt.js file — as the end is hidden by the operating system, the user may think this is an ordinary text document.

When executed, the RATDispenser comes into action, a JavaScript loader that is responsible for downloading a remote access trojan to the computer. From there, different exploits can be performed, ranging from data theft to privilege escalation, giving attackers access to the computer, all depending on the criminal group that carried out the dissemination of the emails.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Canaltech News. Every day a summary of the main news from the tech world for you!

E-mails arrive disguised as commercial proposals or customer requests, with a hidden extension document being responsible for running a script that installs malware (Image: Reproduction/HP)

According to the HP threat research team, responsible for the alert, the practice has already been carried out in association with eight different malware families. Furthermore, in 89% of executions, security software and routines were not able to detect and, mainly, prevent malicious behavior.

In the experts’ view, the format used, .js, is uncommon, which makes it escape traditional checking routines. In addition, criminals are betting on the misconfiguration of corporate email services — they can be configured to automatically block attachments with executable extensions, but few actually do. To users, when an email arrives, the idea is that it has passed this verification and, therefore, it can be safe.

The HP report speaks of attacks that have been taking place over the past three months, with different malware families being used by many different gangs as well. Most of the attacks involve stealing credentials or logging typed data, with mostly corporate targets implying that this may even be an initial step in trading data or carrying out ransomware attacks.

In addition to proper blocking settings in security software and email services, the experts’ recommendation involves specific measures against JavaScript misuse. A good way is to allow the opening, only, of signed scripts, as well as to disable the Windows Script Host (WSH) feature of the operating system so that the codes are prevented from acting.

Leave a Comment