New JavaScript Malware in spam mail now pulls other malware into affected systems

• This new trojan downloads other malware such as GandCrab ransomware, SmokeLoader, AZORult Trojanm Phorpiex spambot, and a Monero cryptocurrency miner.
• Spam emails masked as ‘love letters’ contained the malware in zipped .js attachments.

Last week, a team of security researchers identified malware activity of a novel kind which was slowly pervading in spam emails. This malware apparently uses JavaScript to further download other malicious software such as ransomware, spyware, miners, and worms.

Dubbed as “TROJAN.JS.PLOPROLO.THOAOGAI” by Trend Micro, it downloads entities such as GandCrab ransomware, SmokeLoader, AZORult Trojan, Phorpiex spambot, and a Monero cryptocurrency miner. All of these malicious software downloads are initiated once the user clicks on the ZIP attachment in the spam emails.

It has also been reported that the malware is changed according to the region, as well as the industry it is targeting. According to the firm, Japan is the most affected country when it comes to region-wise spread, followed by India and the United States. Among industries, education, and banking were most hit with this malware.

Rising Malspam traffic

A blog article by Brad Duncan of Malware Traffic Analysis showed how this malware spread in the so-called ‘love emails’, and repeats the infection once it settles in the host system.

“Infection traffic showed several HTTP requests for additional malware, resulting in multiple copies of the same malware on the infected host. The host generated Monero (XMRig) cryptocurrency mining traffic, and it also caused the expected post-infection traffic patterns for GandCrab ransomware. My infected lab host also turned into a spambot for the Phorpiex botnet,” Duncan explained.

Duncan also presented a brief picture of the associated IOCs. Spoofed sending addresses, suspicious SHA256 hashes, and repetitive HTTP traffic are all part of the malware’s activities. In addition to that, considerable traffic also came from GandCrab, Monero, and Phorpiex EXE files.

Furthermore, an inherent problem with Windows is that it runs this JavaScript-powered malware by default if it references JavaScript-enabled online pages. Thus, Windows users could be susceptible to even more malware attacks due to this campaign.