How is malware distributed within zip files?
Do you remember "I love you" ?
Human curiosity often does the trick, unarchiving the zip and then executing the JS (via the windows scripting host that does not follow the same restrictions as a browsers JS engine)
There are more than enough people that do want to be sure they didn't miss a payment and will be cut off their mobile phone soon.
A fundamental unawareness of how email works is another great factor here:
The email comes from Tom! And he says I should have a look. Tom always shares funny images on facebook, let's see!
Completely unaware of email-sender spoofing (which shouldn't be a problem with DKIM, SPF, S/MIME and PGP around, but that's another story), those users just trust the sender and open the files.
INORITE? But that's just human curiosity bundled with fatal lack of knowledge.
The same user who clicks on the ZIP-file to extract the JS-file also clicks the JS-file.
This will launch the Windows Script Host to execute the script (it runs both JScript (JS and JSE) and VBScript (VBS and VBE)). The scripts run by WSH are not sandboxed in the way they would be in a browser.
Launching a JS in this manner is pretty much the same as launching an EXE.
Windows Script Host is an automation technology that provides scripting abilities. It is language-independent in that it can make use of different Active Scripting language engines.
By default, Windows interprets and runs JScript (.js
and .jse
files) and VBScript (.vbs
and .vbe
files).
Clicking a .js
file will make wscript.exe
interpret it and the script can do anything. For example, this pops up calc:
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("calc");
There have been methods or vulnerabilities that allowed automatic execution without (directly) opening the malicious file, like DLL hijacking and sideloading. But, to my knowledge, there is no new method or vulnerability actively exploited in the wild. Such a method would be very effective at spreading malware and would quickly get public notice.