TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS MAN
date: 2015-09-08 01:01:00
subject: Re: Email malware attachm
This still doesn't explain how the attachment is supposed to execute on
a target system - ie - what mail client the user must be using, what the
user sees in terms of system messages as they launch or access the
attachment, how is the attachment handed off to IE (or the windoze
scripting host) for handling, etc.

How can the scripting host be invoked directly, with a .js file of
interest?

---------------------------

https://www.dshield.org/forums/diary/Malicious+spam+continues+to+serve+zip+arch
ives+of+javascript+files/19973/

In January 2015, the Asprox botnet switched from sending malware
attachments to spamming pornography and diet-related scams [1].  Since
then, we've noticed an increase is a different type of malicious spam
(malspam).  This malspam has zip attachments containing javascript files
(.js), and it uses the same type of subject lines we saw from the Asprox
botnet prior to 2015 [1].

We still see malspam using zipped .js attachments.  One popular theme
with this sort of malspam is fake resumes [2].  A reader sent us an
example last week on Friday 2015-07-24 [3].  That example infected a
computer with CryptoWall 3.0 when we checked it out in our lab
environment.

We saw a different malspam campaign on Monday 2015-07-27 deliver Kovter
and Miuref/Boaxxe.

I infected a Windows host in a lab environment with one of the .js
files, E-ZPass_0000161034.doc.js (MD5 hash:
38f27b7a6c36762d75ea858134f3d5ea).  This provided a full infection chain
of traffic.  Three EXE files were downloaded by the .js file.  We then
saw HTTP POST requests associated with Kovter malware.  Traffic also
triggered an alert for Miuref/Boaxxe.  Later in the pcap, we see
click-fraud activity.

Malspam with zipped .js attachments has continued since I first looked
into it earlier this year.  We're fairly certain this style of malspam
will remain an issue.  Most spam filters keep these messages from
getting to their intended recipients, but filters are never a full-proof
method.  As botnets continue to send malicious content to the world's
inboxes, we should always remain aware of the current threat landscape.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.