What Lies Beyond Innocent Looks

Discovery

While hunting for malware we found an interesting Javascript sample, which appears to be benign and purposed to dynamically defining some object properties. But is that all there is to it?

Looking at the status bar, it shows that the file size is 13.65KB, which doesn’t add up if you simply look at the code since it appears to be just a few hundreds of bytes. Scrutinizing it further, you will notice a comment block at the end of the code, which again doesn’t seem very interesting at all since it just looks like some comment with random strings, right? Toggling the word-wrap reveals that it is more than just a random comment.

By now you can tell that something is fishy with a code that is hidden between two (2) large chunks of random-looking comments. Let’s dig deeper and take a look at what this code does.

First, let’s isolate this suspicious code and using a vscode extension we’ll also format the document to have a better view of the Javascript code.

Deep Dive Analysis

Before we continue, let’s see what Varist Hybrid Analyzer can find out from this sample.

The analysis report shows the indicators of internet activity, which we can confirm while doing further analysis on the code.

The code can be simply broken down into four functions:

1. Data table definition – defines a table that will hold chunks of strings
2. Data table lookup – returns a string from the data table given an index
3. Remote code download – downloads remote Javascript code
4. Dynamic function call – executes the downloaded Javascript code

In summary, this hidden piece of code downloads and executes another Javascript code from hxxps://blawx[.]com/letter.php?9280, which follows the same format of hiding code between large comment blocks as shown below:

Varist Hybrid Analyzer, reports indicators of Powershell execution activity and internet activity, which is confirmed through analysis to download and implant a final payload into the affected system.

The Powershell code behavior can be broken-down into the following actions:

1. Downloads base64 encoded data from hxxps://boxtechcompany[.]com/1/GetData.php?6897
2. Creates a folder in %ApplicationData% with the name DIVX<random number>
3. Saves the decoded data to %ApplicationData%\DIVX<random number>\zxc.zip
4. Extracts the contents of the saved ZIP archive into the created folder
5. For persistence, adds %ApplicationData%\DIVX<random number>\client32.exe in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The file client32.exe, which Varist detects as W32/Tool.EQYN-2153, is a variant of NetSupport remote administration tool.

Attribution

Based on the above findings and the presence of a few indicators such as the licensee name HANEYMANEY found in the NetSupport RAT license file, these set of samples were observed to be related to the SocGholish activity which is attributed to the adversary group TA569.

Checking the configuration file, Client32.ini, we can also find the C2 server IP from its GatewayAddress field as shown in the screenshots below.

From further digging, there is a big possibility that this malware is delivered via malware advertisements, also known as malvertisements, based on findings related to the Javascript file name, BILL54878.js, possibly downloaded from a URL linked to Google Ads.

Best Practices and Recommendations

Varist highly recommends keeping your antivirus definitions up to date and exercising caution when opening attachments, even if they are from someone you trust, doing so will help protect you from social engineering attacks delivering malware. 

See how Varist’s Hybrid Analyzer can turbo-charge your malware analysis pipeline with our free demo. Head over here to take a look.

Indicators of Compromise