5 March 2016

This week I was flooded with spear phishing emails in the office. Most of them dealt with late payment of invoices. In any case the attackers requested to study an attached file and to take immediate action to avoid the accrual of penalties.

Fortunately, the anti-virus scanner on the email gateway removed the payload from the attached zip files and filed the emails in the junk folder:

--------Begin Virus scanner message-----------------------------------------------
The company security policies do not allow to transfer file attachments of the specified type.
Removed attachment(s): B56d48d430000.000000000001.0004.mml; invoice_kOUEsX.js
--------End Virus scanner message-------------------------------------------------

It is important to note that the virus scanner removed the attachments because the company policy does not allow the transfer of such files with email. For the exchange of JavaScript files with a partner other secure communication channels must be used.

With this, the inherent risk of classic anti-malware systems is reduced. Unwanted attachments are removed even if they have not yet been identified by the anti-malware system.

Sending the payload in nested zip files is an often used technology to outsmart antivirus systems. Therefore, it is very important to let the antivirus system do in-depth scans on all attachments, even though many users will complain about this because in-depth scans delay the delivery of emails by some seconds. In the case an antivirus system cannot deal with nested archives just remove any content from the outer archive. Some more false positives are better than rebuilding hundreds of computers in the company network.

The malicious JavaScript attachment invoice_kOUEsX.js is identified by 33 of 55 antivirus systems on VirusTotal.com. Microsoft Defender identifies the file as TrojanDownloader:JS/Nemucod. And as always, the few relevant lines of code are hided in a mess of statements.

Have a good weekend.