Two URL formats are commonly being used at this time, one with just alphanumeric characters in path and the other with string ‘.view’ in the path. The examples for these URLs are seen below,
Allowing execution of this ActiveX component causes the browser to download and execute the malicious payload as shown in the screenshot below:
Figure 3: Malware payload download capture
The JsFormatted script shows 4,000+ lines of code, which try to hide the script’s logic.
A quick review of the obfuscated code revealed a line of particular interest, as shown below:
Stepping into this function call provides us the deobfuscated code. Here, we review the important components of this script:
The most important function (below) shows us the hardcoded URLs that will be used to download the malware payloads.
The script will continue trying different URLs from the hardcoded list, until it successfully downloads the malware executable payload from one of them.
Finally, we looked at the function that executes the payload: the function which executes the payload:
We should always be cautious when clicking on links or handling e-mail attachments received from an unknown sender. Threat actors keep changing their obfuscation techniques in an attempt to evade detection methods used by security engines. It is increasingly important to have multiple security layers to block these kinds of attacks. Zscaler ThreatLabZ will continue to monitor these malspam campaigns involving malicious scripts to ensure that Zscaler customers are protected.