Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New method for delivery>?


  • Please log in to reply
9 replies to this topic

#1 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:21 PM

Posted 13 March 2016 - 07:45 PM

Been getting a few of these emails trying to get in last few days.

Is this a new method or an older method using WSF script engine?

Getting tones of .js malware trying to come through as Australia Post emails that are very cleverly targeting particular users on my network as well which download a .scr file toe xecute.

 

'6555434_4X_AZ_PA2__Package=20AUSPOST=R02AU=5F7745652112566=5F100=2DTGF.wsf''6555434_4X_AZ_PA2__Package=20AUSPOST=R02AU=5F7745652112566=5F100=2DTGF.wsf'

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:21 AM

Posted 13 March 2016 - 08:11 PM

The developers of TeslaCrypt, CryptoWall, Locky, Ransom32 Ransomware, KeyBTC and XRTN Ransomware all have been known to use malicious .js files often found in zipped email attachments.

To prevent installation you can use Symantec's NoScript tool. NoScript.exe will disable the Windows scripting host on the computer so that you are unable to launch JS files like the ones this ransomware uses. This could cause interference with normal programs, so you can always revert the changes with the same tool if necessary.

KeyBTC, a simple yet effective encrypting ransomware
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:21 PM

Posted 13 March 2016 - 10:14 PM

Yep agreed but in all the years I have been a SysAdmin this is the first .wsf file being used instead of a .doc, src, or .js file.

Just wondering if anyone else has seen them use the windows scripting file extension?

 

EDIT: LOL just got another one as i pushed send on this thread and they all appear to be coming from our good old friend the USSR, in this case 81.19.67.207 / rambler.ru!


Edited by JohnnyJammer, 13 March 2016 - 10:16 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:21 AM

Posted 14 March 2016 - 06:21 AM

The Windows Scripting Host (.wsf) is just one of many Windows files which malware can exploit. That's why Symantec created Noscript.exe many years ago since it effectively disabled the Windows Scripting Host, preventing all script based programs such as PowerShell scripts, Visual Basic scripts, Javascripts (including malicious files) from executing automatically on the system.As recent as 2014, Noscript was again found to be useful for disabling Windows Scripting Host since it effectively helped stopped Poweliks and similar malware known to download ransomware and other infections.

Best practices for securing your environment against Cryptolocker and ransomware
  • Verify Webroot installed and setup correctly
  • Ensure the latest Windows updates are applied
  • Keep all used plugins up to date (Java, Flash, Adobe etc.)
  • Use a modern browser with an ad blocker plugin
  • Disable Autoruns
  • Disable Windows Scripting Host
  • Have users running as limited users and NOT admins
  • Backup+ Backup+ Backup+ Backup!

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 AM

Posted 14 March 2016 - 03:54 PM

Yes, I'm seeing these .wsf files too.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:21 PM

Posted 14 March 2016 - 07:29 PM

Disable Windows Scripting Host ( WSH ). http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html


https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/firefox_and_malware.pdf

http://www.symantec.com/security_response/publications/threatreport.jsp
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf
http://www4.symantec.com/mktginfo/whitepaper/ISTR/21347931_GA-internet-security-threat-report-volume-20-2015-appendices.pdf
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#7 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:21 PM

Posted 14 March 2016 - 08:11 PM

Its not as easy as that Cat because i have around 80 machines that i have VBS scripts to obtain certain keys and other things which i would have to rewrite in a batch file i guess!.

Also the last one that came through exploited the Windows Preview pane in Explorer, so simply just viewing the .js file inside the zip using Preview pane executed the script.

Didn't even have to unzip it! Luckily i pulled the Ethernet plug out with in seconds.


Edited by JohnnyJammer, 14 March 2016 - 08:13 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:21 AM

Posted 14 March 2016 - 08:37 PM

I forgot to mention that AnalogX Script Defender is an alternative to Symantec's NoScript tool.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 JohnnyJammer

JohnnyJammer
  • Topic Starter

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:21 PM

Posted 14 March 2016 - 09:35 PM

I forgot to mention that AnalogX Script Defender is an alternative to Symantec's NoScript tool.

Excellent might look at that as well. I have already started re-writing my VBS to batch files now.

it was mainly for using Arrays in VBS instead of batch files.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:21 AM

Posted 15 March 2016 - 05:40 AM

Good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users