Skip to content

T1059.007 JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.1

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.234

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.56789

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.

Item Value
ID T1059.007
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009
Tactics TA0002
Platforms Linux, Windows, macOS
Permissions required Administrator, SYSTEM, User
Version 2.1
Created 23 June 2020
Last Modified 16 August 2021

Procedure Examples

ID Name Description
S0622 AppleSeed AppleSeed has the ability to use JavaScript to execute PowerShell.33
G0050 APT32 APT32 has used JavaScript for drive-by downloads and C2 communications.6061
S0373 Astaroth Astaroth uses JavaScript to perform its core functionalities. 2829
S0640 Avaddon Avaddon has been executed through a malicious JScript downloader.1920
S0482 Bundlore Bundlore can execute JavaScript by injecting it into the victim’s browser.23
C0015 C0015 During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.67
C0017 C0017 During C0017, APT41 deployed JScript web shells on compromised systems.66
S0631 Chaes Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.18
G0080 Cobalt Group Cobalt Group has executed JavaScript scriptlets on the victim’s machine.474849505152
S0154 Cobalt Strike The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.17
S0673 DarkWatchman DarkWatchman uses JavaScript to perform its core functionalities.34
S0695 Donut Donut can generate shellcode outputs that execute via JavaScript or JScript.11
G1006 Earth Lusca Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.36
G1003 Ember Bear Ember Bear has used JavaScript to execute malicious code on a victim’s machine.53
S0634 EnvyScout EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.16
G0120 Evilnum Evilnum has used malicious JavaScript files on the victim’s machine.35
G0037 FIN6 FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.42
G0046 FIN7 FIN7 used JavaScript scripts to help perform tasks on the victim’s machine.383938
S0417 GRIFFON GRIFFON is written in and executed as JavaScript.30
G0126 Higaisa Higaisa used JavaScript to execute additional files.545556
G0119 Indrik Spider Indrik Spider has used malicious JavaScript files for several components of their attack.57
S0260 InvisiMole InvisiMole can use a JavaScript file as part of its execution chain.31
S0283 jRAT jRAT has been distributed as HTA files with JScript.15
S0648 JSS Loader JSS Loader can download and execute JavaScript files.12
G0094 Kimsuky Kimsuky has used JScript for logging and downloading additional tools.6263
S0356 KONNI KONNI has executed malicious JavaScript code.13
G0140 LazyScripter LazyScripter has used JavaScript in its attacks.37
G0077 Leafminer Leafminer infected victims using JavaScript code.44
S0455 Metamorfo Metamorfo includes payloads written in JavaScript.21
G0021 Molerats Molerats used various implants, including those built with JS, on target machines.59
G0069 MuddyWater MuddyWater has used JavaScript files to execute its POWERSTATS payload.144140
S0228 NanHaiShu NanHaiShu executes additional Jscript code on the victim’s machine.26
C0016 Operation Dust Storm During Operation Dust Storm, the threat actors used JavaScript code.68
S0223 POWERSTATS POWERSTATS can use JavaScript code for execution.14
S0650 QakBot The QakBot web inject module can inject Java Script into web banking pages visited by the victim.2524
G0121 Sidewinder Sidewinder has used JavaScript to drop and execute malware loaders.6465
G0091 Silence Silence has used JS scripts.58
S0646 SpicyOmelette SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.32
G0092 TA505 TA505 has used JavaScript for code execution.4546
G0010 Turla Turla has used various JavaScript-based backdoors.43
S0476 Valak Valak can execute JavaScript containing configuration data for establishing persistence.27
S0341 Xbash Xbash can execute malicious JavaScript payloads on the victim’s machine.22

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent JavaScript scripts from executing potentially malicious downloaded content 10.
M1042 Disable or Remove Feature or Program Turn off or restrict access to unneeded scripting components.
M1038 Execution Prevention Denylist scripting where appropriate.
M1021 Restrict Web-Based Content Script blocking extensions can help prevent the execution of JavaScript and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation
DS0012 Script Script Execution

References

  1. OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020. 

  2. Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020. 

  3. Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript …. Retrieved June 23, 2020. 

  4. Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020. 

  5. Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021. 

  6. Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021. 

  7. Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020. 

  8. Tony Lambert. (2021, February 18). Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021. 

  9. Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021. 

  10. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  11. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  12. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  13. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. 

  14. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. 

  15. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  16. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  17. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  18. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  19. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021. 

  20. Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021. 

  21. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  22. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. 

  23. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  24. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  25. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  26. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. 

  27. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  28. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. 

  29. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  30. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  31. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  32. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  33. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  34. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  35. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  36. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  37. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  38. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  39. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  40. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  41. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  42. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020. 

  43. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  44. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  45. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  46. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  47. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  48. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. 

  49. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. 

  50. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. 

  51. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. 

  52. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. 

  53. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  54. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. 

  55. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  56. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  57. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  58. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. 

  59. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  60. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  61. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  62. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. 

  63. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  64. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  65. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  66. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  67. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. 

  68. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.