So why .js? According Bryan Burns, Vice President of Threat Research at Proofpoint,
“Users have been trained to not click exe attachments, but many may not know what a “js” file is, or that it can be just as dangerous. The icon looks like a document which is somewhat confusing to users unfamiliar with this file type.”
The sheer message volume is also a distinguishing feature of these campaigns. The graph below shows the relative volumes of .js attachments versus other malicious documents in recent campaigns, with .js messages exceeding all other document attachments combined by 4-8 times at their peaks:
These are, in fact, the largest campaigns observed in recent years by Proofpoint researchers, relying on massive botnets to distribute huge volumes of malicious emails. The botnets are worldwide, but India and Vietnam are by far the largest sources of sending IP addresses for these campaigns. The figure below shows the relative number of messages originating from each country.
Although this technique has been used before with ransomware variants like Teslacrypt and CryptoWall, these campaigns are almost exclusively dropping Locky and Dridex. We have observed little in the way of industry or vertical targeting, but, because Dridex uses country- and bank-specific injects, we have seen some geo targeting in the US, the UK, and Western Europe. Locky, on the other hand, has taken much more of a shotgun approach with simply very high volumes and little targeting.
These campaigns are of concern because
- Their massive volumes dramatically increase the risk of finding recipients without sufficient electronic protections or who don't recognize potentially malicious file attachments and
- The files are not immediately recognizable as malicious (like .exe files) and don't generate macro-related warning messages.
For both organizations and individuals, this means that using antimalware solutions capable of detecting advanced threats becomes more important than ever. At the same time, we need to ensure that users remain vigilant in email best practices and are aware of the growing variety of attached documents that may be malicious.
Subscribe to the Proofpoint Blog