Obfuscated JavaScript or Nothing, (Thu, Apr 9th)

Key Points:

• A malicious JavaScript file named “cbmjlzan.JS” was delivered via phishing email, containing obfuscated code that implements persistence through a scheduled task and executes a PowerShell script to decrypt and extract malware.
• The attack impacts Windows systems, utilizing ActiveXObject and other Windows-specific features to facilitate execution and persistence. The final payload is identified as Formbook malware, which poses significant data exfiltration risks.
• Recommended actions include blocking the identified SHA256 hashes, monitoring for suspicious PowerShell activity, and implementing email filtering to prevent phishing attempts.

Technical Details: The JavaScript file (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) uses obfuscation techniques and ActiveXObject to copy itself for persistence. It executes a PowerShell script that decrypts an AES-encrypted payload leading to the deployment of Formbook malware (SHA256:53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b).

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1547.001 - Boot or Logon Autostart Execution: Scheduled Task (Persistence)
• T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)

IOCs Mentioned:

• SHA256: a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285
• SHA256: 53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b
• SHA256: fdcfbb67d7e996e606963ac96a4a1b14e7070e1e88d210b2f567e3d40541b7b7