Click-Fraud Malware Spreading via JavaScript Attachments

The SANS Internet Storm Center reports a rash of malicious spam pushing Kovter click-fraud malware.

A new malware campaign has been spotted that has begun seeding spam messages with a downloader heavily obfuscated with JavaScript. The SANS Internet Storm Center said today that two days ago, a flood of spam messages were observed laced with .js attachments.

The JavaScript obfuscates a downloader that once it’s installed on a compromised machine, calls out to a number of domains looking for either the Kovter or Miuref click-fraud malware.

The success of this effort, however, might be short-lived since it’s fairly simple for spam engines to filter .js files.

“I just look at it as a different format than the zipped .exe files we see with some of the other botnet-based malspam,” said Brad Duncan, a SANS ISC handler and researcher with Rackspace’s information security operations center. “There shouldn’t be a business reason to allow these sorts of files. Other botnet-based malspam sends zipped EXE files which are also easily filtered. I look at this as another fairly futile attempt to spew more malware to the world’s inboxes.”

Some of the messages Duncan spotted spoof unpaid E-ZPass toll charges, notices to appear in court, or delivery invoices. File names and hashes for the attachments and extracted files are available on the SANS ISC website.

In a test environment, Duncan said he observed three executable file posing as GIF images downloaded by the .js file and POST requests sent over HTTP for Kovter; some of the traffic also triggered alerts for Miuref and Boaxxe samples.

Both sets of click-fraud malware have mostly propagated via either exploit kits or malvertising campaigns. In January, security company Cyphort reported that the Canadian version of Huffington Post was hosting malicious ads from an AOL ad network that redirected to a landing page serving an exploit kit. The exploit kit pushed an exploit for an Adobe Flash vulnerability as well as a VB script that downloaded Kovter. In addition to Huffington Post, other busy sites such as,, and among others were also pushing malvertising.

“I’ve usually found Kovter and Miuref associated with exploit kit traffic. There’s nothing stopping click-fraud type Trojans being sent through malspam, though,” said Duncan, who added that he specializes in exploit kit research. “Any executable used as a payload for an exploit kit can also be used as a second-stage payload for .js malware, or those EXEs can be zipped and sent as malspam attachments.  CryptoWall 3.0 is a good example.”

Kovter infections are not limited to click-fraud. Some variants spread ransomware.

“I suppose whatever’s most profitable to the criminals trying to spread the malware.  How expensive is an exploit kit compared to a malspam botnet?” Duncan said. “How much more effective, overall are the infection rates? I couldn’t tell you that. Like an investor trying to diversify his or her portfolio, criminal organization probably use different methods to delivering their malware.”

This article was updated July 29 to remove references to the Asprox botnet.

Suggested articles