Analysis of Anti-virus detection and removal techniques of recent js scams

Analysis of Anti-virus detection and removal techniques of recent js scams

Recently, many netizens have reported that hackers have been blackmailed (also known as the "Locky ransomware"), and files, images, and other important information on computers have been encrypted by viruses. This type of virus carrier is a js script. The js script downloads the pe file of the remote server and runs the pe file locally to encrypt the data of the victim computer.
According to the security center monitoring, the js extortion virus is mainly spread through webpage Trojans and phishing emails. This article will analyze the propagation methods and anti-virus techniques of this virus.
0x01 webpage Trojans
Hackers may exploit vulnerabilities in some websites to implant the js extortion virus into the webpage. When a user accesses a webpage with malicious code, the computer will automatically download and execute the virus.

Figure 1: Sample 1
The sample shown in 1, which uses the hexadecimal system to encrypt the code. Therefore, it is relatively simple to decrypt the code, as shown in Code 2 after decryption:

Figure 2: decrypted sample 1
By analyzing the decrypted code, we can see that it uses the ActiveX Control of IE to obtain remote PE files. The execution process includes three steps: downloading files, saving files, and running files. It first creates an MSXML2.XMLHTTP object to communicate with the remote server, obtains data from the server, and then uses the created ADODB. the Stream object saves the obtained data to the user's TEMP directory, and finally uses the created WScript. the Shell object runs the file directly.
Because the encryption method of sample 1 is relatively simple, it is easy to be scanned and killed by anti-virus software. In order to perform anti-virus scanning and removal, its variants are more complex for encryption, the sample shown in 3 is a popular encryption method.

Figure 3: Sample 2
First, it defines a daughters function for the string. This function is used to intercept the string.

Figure 4: character Truncation
Then, some meaningless variables are inserted into the code for obfuscation. variables such as abeUtGplX, ojfdmCwgalh, yHoFUfYVm, and GapGRiqoRoK in 5 serve as obfuscation codes.

Figure 5: code obfuscation
Finally, in order to further achieve the purpose of eliminating the virus, it defines the keywords to be used in the Code into an array of nUvahxKnc, or it can combine keywords with meaningless characters, you can also split a keyword into several different characters and then split or splice the characters. It also inserts some meaningless characters in the array for code obfuscation, and dynamically modifies the length of the array in script execution to remove those meaningless characters, as shown in Code 6.

Figure 6: code obfuscation using Arrays
The Final decryption result of the sample is 7:

Figure 7: decrypted sample 2
0x02 Email transmission
Through social engineering, hackers carefully constructed a phishing email using people's curiosity and put the js scam script into the email attachment. When users double-click to run the js file, they will be tempted, shows common email formats.

Figure 8: Phishing 1

Figure 9: Phishing 2
In order to achieve the purpose of anti-scanning and removal, the js file in phishing mail 1 first uses the character splitting and splicing methods. As mentioned above, these methods are not analyzed.
Second, it places the main malicious code in an if condition expression, by calling Date. getMilliseconds and WScript. the Sleep function gets several different milliseconds, and then determines whether to execute the content in the if condition by determining whether the values of these variables are equal. 10.

Figure 10: if expression
The sample in phishing mail 1 is decrypted after 11.

Figure 11: decrypted Samples
By analyzing the encrypted code, we can see that the js swindlers and Trojans spread through phishing emails are different. Instead of running them using ActiveX controls, WScript objects are selected. In Windows, wscript.exe provides a host environment for the js script file. Therefore, when the mail is kept locally, double-click the js file to run it directly.
The sample in phishing 2 is a variant of phishing 1. In order to achieve further anti-virus effect, it has changed in the following aspects.
First, its if condition expression changes. It uses/* @ cc_on @ */For Conditional compilation. First, assign Kcm to false, then, assign the value of Kcm to true in Conditional compilation. If the anti-virus software does not handle this specially, it is difficult to detect the following content. The specific code is shown in Figure 12.

Figure 12: if condition expression after change
Second, in milliseconds, the Date. getMilliseconds function is used instead of the Date. getUTCMilliseconds function. For details, see Figure 12.
The sample of phishing 2 is decrypted, as shown in Figure 13.

Figure 13: decrypted sample
There is also a type of js sample. The encrypted keywords in the sample need to be decrypted using specific functions. 14. The value encrypted in the sample can be decrypted only by calling the adjurepe6 function. To improve the complexity, you need to call the btoa function again in the adjurepe6 function, only after the decryption of these two functions can the final result be obtained.

Figure 14: function Encryption
It is also common that js Code uses the escape Function for encryption to avoid scanning and killing. This function is used together with the eval function. In use, the unescape function is used to decode the string, and then the eval function is used to convert the string into js Code. This method is also frequently encountered in previous js extortion samples, but previously it was used to encrypt the entire js script, but now they only encrypt part of the code, the unencrypted part must use the functions and variables defined in the encrypted part, as shown in 15 and 16.

Figure 15: Encrypted code

Figure 16 unencrypted code
The addHandle used in the detectDuplicates, matchesSelector, fragment, and string functions cannot be found in unencrypted code. After the encryption code is decrypted, the value of addHandle is eval. After the code is decrypted, the main code 17 is shown.

Figure 17: decrypted script
Through the above analysis, we can see that in order to achieve the purpose of anti-detection and removal, the js swindlers use various code obfuscation and encryption methods, it even uses usage similar to/* @ cc_on @ */Conditional compilation. Because of the economic benefits of the virus, the update speed is extremely fast. The  security center will pay close attention to the latest trends of such viruses and provide effective protection solutions for users as soon as possible.