It’s quick, it’s easy, and it’s edged out macros embedded in Microsoft Office as the number one way to spread malware through email messages: Over the past month, researchers at Proofpoint Inc. have spotted a new trend in malicious email campaigns: attached JavaScript files.
Threat actors have been using attached Microsoft Office files with embedded malicious macros for years, said Bryan Burns, the company’s vice president of threat research in a telephone interview. Users have become savvy to the hazards of opening a .exe file attached to emails, but the use of JavaScript – not to be confused with Java – has only ever been used occasionally.
Until now. The use of .js files to spread ransomware and malware has spiked dramatically in the past two months, said Burns, with campaigns appearing in unprecedented volumes with hundreds of millions of messages being sent across Proofpoint’s customer base. In the past three months, he said, JavaScript has been the first choice of threat actors to spread malware.
Part of the reason is that education has made users much less likely to click on a .exe file – they know better. “The click rates have dropped down to the point where it’s not an effective technique,” said Burns. Couple that education with effective security technology that scans and catches malicious files before they reach the user, and threat actors just aren’t getting the same bang for their buck.
Creating an executable is complicated, noted Burns. “It’s difficult to develop malware with.” JavaScript allows malware makers to make efficient use of their time, and it’s easier change their scripts every couple of days to keep ahead of scanning technology.
Office files with nasty macros remain the number two vector for threat actors, having become popular a couple of years ago, but Burns said JavaScript has taken over in the past two months in terms of message volume. It’s still the same threat actors, he said, with two primary objectives: getting Trojans into major financial institutions and getting ransomware into enterprises to hold their business files hostage, particularly those likely to use Microsoft Office 365.
Burns said the simplest approach to address this malicious JavaScript trend is to block .js files as they would an .exe. file. “We encourage customers to treat JavaScript attachments like they treat an executable.” He said a good email gateway will include a policy engine to support a security stance to defend against JavaScript attacks. “It’s going to be more reliable than making sure your user base does the right thing 100 per cent of the time.”
Blocking .js files through messaging platforms is unlikely to affect productivity, noted Burns, as developers who work with legitimate JavaScript files are likely to share them through collaborative repositories.
As for why threat actors have chose now to leverage JavaScript, Burns said there’s no way of knowing. “I would love to interview them.” Ultimately, they will use whatever makes installing malware easiest because that’s how they make their living. “If world is adapting, they are going to move to the next thing,” he said. “We definitely see them experimenting with different things.”