A few weeks ago Richard posted a blog about malicious HTML attachments we were seeing in spam. Well, the attacks have continued since then along much the same lines. For example:
Current attachments are being blocked as Troj/JSRedir-BV.
As noted before, if the victim opens the HTML attachment, the embedded script will run within the browser, and redirect them to a another remote web page (hosted within a legitimate but compromised site). Sophos products block this page as Mal/Iframe-Q. From there, the attack is two-fold:
- META redirect to some spammy site (Canadian Pharmacy and similar)
- malicious IFRAME loading further content from another site
setTimeOut, and consists of a simple xor.
setTimeOut, the script is able to ensure there has been a sufficient delay. Most emulation tools will tend to ignore the
setTimeOut delay, resulting in an incorrect xor key being generated, and decryption failing.
When correctly deobfuscated, you can see that the script redirects the victim with a