1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

RAA Ransomware Is 100 Percent JavaScript

Discussion in 'General Malware And Security' started by starbuck, Jun 14, 2016.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Besides ransomware, RAA also drops the Pony infostealer

    cb27eb19a1c2f708b0e7e4056eee9cd9.png

    A new ransomware family called RAA uses only JavaScript code to infect computers and encrypt their data.
    RAA is not the first JS-based ransomware piece, but it is the first that relies 100 percent on JavaScript to infect computers.

    In January, Emsisoft security researcher Fabian Wosar discovered Ransom32, the first ransomware family written in JavaScript, but Ransom32 was only coded in Node.js, and crooks still distributed it as an executable.

    On the other hand, RAA is delivered as a .js file. Crooks attach this file to spam email, disguising it to look like an Office document.
    Some users might download and execute this file.

    RAA works entirely via JavaScript

    The malicious JavaScript code contained in email attachment is obfuscated to deter security researchers from reverse-engineering its source.

    On most computers, this code runs via the Windows Script Host (WSH), which executes its commands system-wide, giving the malicious script access to system utilities.

    The JS file will also create a fake Word document and open it.
    The file contains random files to fool users into thinking the document is corrupted.

    The RAA payload includes the CryptoJS library.
    This JavaScript toolkit adds support for cryptographic functions in JavaScript.
    CryptoJS allows RAA to encrypt user files.

    The same RAA payload also contains a base64-encoded version of the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Pony is usually used for reconnaissance, so crooks get a better overview of the infected system. Often, Pony goes hand in hand with banking trojans, but this behavior was not observed for RAA infections.

    RAA is currently undecryptable

    RAA only encrypts 16 file types and then displays its ransom note.
    The researchers who spotted the malware first, @JAMES_MHT and @benkow_, only came across RAA versions with a ransom note in Russian.

    The ransomware asks for 0.39 Bitcoin (~$250) as payment, claims to use AES-256 encryption, and asks users to contact the malware author via email to receive their decryption keys.
    According to Bleeping Computer, RAA is currently undecryptable.

    Victims will have a hard time recognizing RAA infections because the ransomware uses the ".locked" file extension when it encrypts user files.
    Below is a screenshot of the RAA ransom note if you need a visual reference.

    5db1a26d7017609faec7f10037fe6906.jpg

    Translated Ransom note:

    Source:
    http://news.softpedia.com/news/raa-ransomware-is-100-percent-javascript-505228.shtml

    More detailed information:
    http://www.bleepingcomputer.com/new...somware-is-created-entirely-using-javascript/
     
    starbuck, Jun 14, 2016
    #1

Share This Page