This article wants to explain a way for malware coders to spread malicious softwares in the wild. And of course the easy way is to convince the victim to run the malicoius code himlsef. No 0day is required, no known vulnerability too.

In these conditions, usually the attack pattern preferred is “Spear Phishing“, consisting in a email containing, not the malware itself, but a dropper, written with a script language (formally just a text file), with the capabilities to download the malware and run it on the target system. In others terms: a JavaScript. Below an example.

The original JavaScript file.

1

The original file

As you know, comments are useless. Just remove it!

Comments removed

Comments removed

Now, take a look at the variable named “XyuHqSR“. It is a multidimensional array, referenced in the malicious code for six times. We can parse it to extract the strings used by the JS file. Just run this code.

5

Parsing the evil string

To obtain the following strings, prepended by the array index.

Decripted strings

Decripted strings

Now, with a bit of “search & replace” and some string concatenations (follow the “+”  character…), the result is a clean file you don’t need to execute in a sandbox to get the behavioural informations.

The clean JavaScript file

The clean JavaScript file

Easy to read now, ins’t it? 🙂

IoC:

Finally I decide to release some new feature for Pentest.IT Statistics. Dozens of minor bugs have been fixed. Some minor changes as the use of the modern <datalist> instead of <select> to avoid too long select lists. But just one real news: you can now get statistics for a specific product family.

stats.pentest

 

Some example:

Remember: all URLs are CPE compliance!