Tuesday 21 June 2016

JavaScript Malware



The recently discovered RAA malware[1] is a ransomware coded entirely in Javascript. Similar to other ransomware, RAA encrypts a users files (including .doc, .xls, . pdf, .jpg, .png, zip, .rar, .csv [2]) using AES-256, then demands payment of $250 for a decryption key. To date the ransomware has mainly targeted Russian language devices, but not exclusively. The malware is delivered via an email attachment that executes upon opening.

So what makes RAA different, and why should we be concerned?
RAA is encoded entirely in JavaScript. It is probably not the first malware to be written in a scripting language, and this certainly won’t be the last JS malware. But it is not every day we see a malware written in JS. JS is a scripting language that has many uses, but is primarily used to add dynamic content to a static HTML. Working with HTML and CSS, JS is what makes the web interactive. Unlike a compiled .exe file that needs to be executed by the user to run, JS is an interpreted language so is executed automatically and without a warning – certainly in a web browser. At the moment RAA is delivered via an email attachment, but what most of the press is not saying is that, theoretically, there is nothing to stop this being ported for delivery via JS in a web browser. As soon as you land on a malicious page, JS will execute as part of the page content.  

So what about mitigation? Whilst not currently a game stopper, RAA certainly has potential to become more vicious. Whilst this malware stays as an email attachment, normal rules apply – keep your AV up to date, and beware of the sites you visit and maintain regular backups. Some email software automatically blocks JS attachments, so keep your email packages up to date. Once this malware ports to a web page delivery mechanism the current mitigation is to disable JS in your browser – keeping you safe, but without the web content and interactivity you expect. But what will we do when RAA is delivered via JS in a stored XSS?


[1] http://www.bbc.co.uk/news/technology-36575687
[2] https://www.enigmasoftware.com/raaransomware-removal/