Troj/JSAgent-CK

Troj/JSAgent-CK is a malicious file attachment that runs a dangerous JavaScript that redirects computer users to an attack website. This website uses the infamous Blackhole Exploit Kit in order to attack numerous known application and Windows vulnerabilities simultaneously in order to infect the victim's computer with malware. With the free release of the Blackhole Exploit Kit on underground file sharing websites, these kinds of attacks have become increasingly more common since 2011, probably due to the fact that the criminals carrying them out now have greater access to this dangerous exploit kit.

Troj/JSAgent-CK is Delivered in Malicious Email Attachments

In 2012, ESG security researchers have observed a large number of email spam attacks that use malicious scripts similar to Troj/JSAgent-CK in order to direct computer users to malicious websites. In the case of Troj/JSAgent-CK, this dangerous JavaScript Trojan is delivered through a fake wire transfer notification. To avoid attacks similar to Troj/JSAgent-CK, do not click on attachments or links contained in unsolicited email messages. This is even true for messages supposedly coming from trusted sources such as Facebook or even anti-malware software manufacturers themselves. Criminals can disguise their email messages so that they will appear to have been sent by any number of sources in order to make their attacks more effective.

The Malicious Email Message Associated with Troj/JSAgent-CK

The Troj/JSAgent-CK email message will claim to contain information on a rejected money transfer. This message contains an attached HTML file that is actually detected as the Troj/JSAgent-CK Trojan. There are several variants of Troj/JSAgent-CK's malicious email message, but they will all contain subject lines somehow relating to a supposed 'Wire Transfer' rejection or confirmation as well as a fake confirmation in some cases. The Troj/JSAgent-CK Trojan itself is contained in a file named Wire_AMBA01-Rejected.htm. When this file is opened, the computer user will receive a message that says 'Please wait a moment. You will be forwarded…' However, in the background a malicious script is being executed that directs the victim to a compromised Russian website that uses the Blackhole exploit kit to attack the victim's computer. This happens in a matter of seconds and often can occur without the victim realizing what has happened. This same malicious website and method have been used in recent months to attack computer users with fake email messages from Facebook (with three 'o's') and bogus airline ticket confirmation email messages.