Threat Coverage: How FortiSandbox protects against unknown JavaScript malware

Introduction 

FortiSandbox seamlessly integrates with various Security Fabric platform products, offering a straightforward approach to safeguarding against breaches. Upon detecting malicious code, FortiSandbox promptly responds by assigning risk ratings and instantly sharing local intelligence with Fortinet Security Fabric, Fabric-Ready Partners, and other security solutions.  

This article highlights how FortiSandbox detects and captures the behavior of an obfuscated zero-day JavaScript sample. Upon execution, the original sample triggers the download of another JavaScript file, which plays a critical role as it contains commands and additional code aimed at establishing a connection and awaiting a response from a Command and Control (C2) server. This two-step approach showcases a sophisticated malware delivery and underscores the covert nature of the malicious activities orchestrated by threat actors. FortiSandbox executes submitted files and URLs within a controlled environment mimicking real world end user scenarios.  

All the information in this article was gathered from the Job detail report generated by FortiSandbox. 

Analysis 

The obfuscated JavaScript file (MD5 hash: a3774b95093df96be7959ea2870ab3df) when examined by FortiSandbox initiated the retrieval of an additional JavaScript file from a remote site 'hxxps://nac-ecs[.]co[.]mz/onedrive/wx[.]js.’ Upon successful download, the obfuscated file (MD5 hash: e787ce73144ebc03d7641aafba01c1da) was stored in the temporary folder location and renamed to 'GKCTI.JS.' It was subsequently executed using WScript.exe with the command: 'C:\Windows\System32\wscript.exe //B 'C:\Users\ADMINI~1\AppData\Local\Temp\GKCTI.JS.' 

 
FortiSandbox recorded these actions and offers a Tree View diagram illustrating the sequence of execution. Please refer to Figure 1 below.  

Figure 1. Chain of execution when the sample is run inside FortiSandbox 

The trigger suspicious indicators recorded. See illustration in Figure 2. 

Figure 2. FortiSandbox indicators with severity rating. 

After the execution of 'C:\Users\ADMINI~1\AppData\LocalTemp\GKCTI.JS'. FortiSandbox captures the behavior of the obfuscated downloaded JavaScript file. This behavior includes the creation or modification of the AutoStart registry entry to trigger automatic execution. Additionally, the script drops suspicious file(s) into the startup folder, enabling the malicious file to run persistently without the user’s knowledge. 

Furthermore, the file contains commands aimed at managing a botnet and seeks to establish a connection with its Command and Control (C2) server to extract discovery data. Consequently, the compromised machine awaits further instructions from this server and sends an initial request to its C2 server at hxxp://chongmei33[.]publicvm[.]com:7045/is-ready as shown in Figure 3. 

Figure 3. The download JavaScript connects to its Command-and-Control server. 

Once the connection is established, the compromised machine will attempt to send a request to its C2 server. Upon receiving this request, the server endeavors to send a response back to the compromised machine, containing commands aimed at downloading, logging, and controlling the victim’s machine.  

 
The malware employs a passive mode to retrieve the latest binary modules, allowing only the C2 server to determine when and where to obtain and execute the most recent module. This tactic prevents security analysts from accessing the latest binary to replicate the script. The FortiSandbox team managed to de-obfuscate the file offline to further understand these commands used by the malware as illustrated in Figure 4. 

Figure 4. Malicious commands from the malware 

An example of such a command is 'up-n-exec' detailed in Figure 5. This command enables the C2 server to download files into the victim’s machine by providing a URL and the targeted path it intends to save the file to.  

Figure 5. ‘up-n-exec’ command alongside its definition 

Another available command is the ‘shutdown’ command. This functionality allows the malicious actor to forcefully close open applications without warnings and power off the victim’s system without delay by using WScript.shell to execute the command depicted in Figure 6. 

 Figure 6. ‘shutdown’ command 

Threat Mitigation 

FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via Inline Scan and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats. 

MITRE ATT&CK

Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns. 

TA0002 – Execution 

TA0003 – Persistence  

TA0011 – Command and Control 

IOC 

Summary 

 
The detailed analysis of an obfuscated zero-day JavaScript sample underscores the sophistication of modern malware delivery methods and emphasizes the importance of proactive defense measures. FortiSandbox successfully identified both downloaded files and their connection to remote sites, demonstrating its effectiveness in threat detection and mitigation.