JavaScript has gone bad, beating out macros as top choice for spreading malware and ransomware

It’s quick, it’s easy, and it’s edged out macros embedded in Microsoft Office as the number one way to spread malware through email messages: Over the past month, researchers at Proofpoint Inc. have spotted a new trend in malicious email campaigns: attached JavaScript files.

Threat actors have been using attached Microsoft Office files with embedded malicious macros for years, said Bryan Burns, the company’s vice president of threat research in a telephone interview. Users have become savvy to the hazards of opening a .exe file attached to emails, but the use of JavaScript – not to be confused with Java – has only ever been used occasionally.

Until now. The use of .js files to spread ransomware and malware has spiked dramatically in the past two months, said Burns, with campaigns appearing in unprecedented volumes with hundreds of millions of messages being sent across Proofpoint’s customer base. In the past three months, he said, JavaScript has been the first choice of threat actors to spread malware.

Part of the reason is that education has made users much less likely to click on a .exe file – they know better. “The click rates have dropped down to the point where it’s not an effective technique,” said Burns. Couple that education with effective security technology that scans and catches malicious files before they reach the user, and threat actors just aren’t getting the same bang for their buck.

Creating an executable is complicated, noted Burns. “It’s difficult to develop malware with.” JavaScript allows malware makers to make efficient use of their time, and it’s easier change their scripts every couple of days to keep ahead of scanning technology.

proofpoint-graphOffice files with nasty macros remain the number two vector for threat actors, having become popular a couple of years ago, but Burns said JavaScript has taken over in the past two months in terms of message volume. It’s still the same threat actors, he said, with two primary objectives: getting Trojans into major financial institutions and getting ransomware into enterprises to hold their business files hostage, particularly those likely to use Microsoft Office 365.

Burns said the simplest approach to address this malicious JavaScript trend is to block .js files as they would an .exe. file. “We encourage customers to treat JavaScript attachments like they treat an executable.” He said a good email gateway will include a policy engine to support a security stance to defend against JavaScript attacks. “It’s going to be more reliable than making sure your user base does the right thing 100 per cent of the time.”

Blocking .js files through messaging platforms is unlikely to affect productivity, noted Burns, as developers who work with legitimate JavaScript files are likely to share them through collaborative repositories.

As for why threat actors have chose now to leverage JavaScript, Burns said there’s no way of knowing. “I would love to interview them.” Ultimately, they will use whatever makes installing malware easiest because that’s how they make their living. “If world is adapting, they are going to move to the next thing,” he said. “We definitely see them experimenting with different things.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now