It is currently believed to download the Ursnif banking Trojan but we have tracked multiple different scripts using the name Case_Details.js
One of the scripts invokes a WScript to download a Trojan, another a Powershell function. As the script is changed often they can also change the payload
so could potentially included Ransomware
If you receive a PCN notice via e-mail from Barking and Dagenham please DELETE it or go to there website by manually typing there address.
Fake Webpage which asks for capture to download information.
On day two the Trojan had a different script which uses wscript.exe to run a powershell command instead.
uses function returns, arrays and variables to compile the final malicious script.
Most enterprise security solutions will include behavioural analysis which can detect how scripts are running and will help protect you machine.
Also ensuring that all *.js scripts are defaulted to run within secure browsers such as Chrome or Firefox may help as they run .js scripts in a browser
sandbox stopping scripts being run on the host directly.
Mark Lambourne – ITB Technical Consultant
Thank you for your reports. Please avoid opening the email or clicking any links pic.twitter.com/uwFW1fCPcP
Barking and Dagenham (@lbbdcouncil) 23 January 2017