Recently, while working with LastLine (our APT Blocker provider) on what I thought was a low score for a ransomware file, I uncovered something unusual. A lot of ransomware is currently being sent as a JavaScript (.js) attachment in emails. JavaScript on its own is relatively harmless, but it can be used to download and run more harmful files. In this instance, the JavaScript indeed downloaded an executable file from a compromised WordPress site (hxxp://www.xxxxxxxx.it/wp-content/plugins/hello123/89h766b.exe), which obviously seemed suspicious, and led me to believe that it was a malicious file. However, our advanced threat prevention system only gave the file a score of 0/100, suggesting it was benign. What was going on?
Initially, I thought our system missed a threat. Turns out, that despite being called “89h766b.exe”, it was in fact a harmless text file containing the text “STUPID LOCKY”.
So why did this seemingly malicious email campaign only spread a harmless text message complaining about Locky? My best guess is that some well-intentioned vigilante gained access to the command and control infrastructure attackers use to deliver their malicious executables. It looks like this vigilante replaced the harmful ransomware file with an innocuous text file, thus preventing the evil email campaign from working. While we thank the vigilante for their efforts, we recommend customers do not allow emails with .js attachments and use APT Blocker. — Rob Collins