Thursday, December 17, 2015

base64 fileless phishing kit

Phishing kits are boring most of the time, and you cant fight stupid (users).
I have recently came across an interesting kit, thumbs up for the threat actor, if he only worked a bit on his e-mail that he sends to victims (cant share), and it could be much deadlier.

So how this works?
1) Threat actor sends bunch of emails to a big victim list, the email message is some "blabla please sign to DocuSign to view the document in google docs" etc...

Sometime the emails are in html formats so they change the <a href > tag so it would look like legit link when you hover over it, but when you click it sends to a different url.
In this case the attacker chose to use url shortening:

This url is pointing to:
hXXp:// ....

full url:

JQuery you say? The data is base64 blob, if we copy the blob (starting with "PFN") to some decoder we will get some nice clear text like:

<Script Language='Javascript'>



Bang, 2nd layer of obfuscation, a JS with unescape obfuscation.
After decoding that we get another clear text, with yet another script!
<script language="javascript" type="text/javascript">var l1l='=oQKpkyJ8dCK0lGbwNnLnkXYsB3cpRmMywHf


Damn son, 3rd layer of obfuscation, with another JS code, containing eval and some custom encryption. Even if we beautify the code it still look nasty.
I don’t really care going all the code with debugger to see exactly what happens, and probably you as well, so lets create an html file with the JS code and change the "eval(_1OI(_1I1(l1l)));" function in the end to "window.alert(_1OI(_1I1(l1l)));"
This simply will print us the evaluated code in an alert box, and if we will open it in a browser we will get the result:


w00t? another eval with custom encryption? 4 obfuscation layers for phishing? dude, you are crazy!
Ok, lets do the trick of window.alert instead of eval again?
Unfortunately the new code is too long for the alert box so it is cut before the end and trying that trick will result an empty page.
So lets go back and change the "eval/window.alert" to "document.write".
We know it is safe to do because we saw in the first trick the output is eval, and not <script>.


Ok, now i got stuck for a while, because i tried to apply the previous methods and they didn’t work, while adding document.write to the eval would show the phishing page.
After some googling i found
Used #2 - The Tom Liston Method, i got in the result another eval that looked very familiar to the one i had, i thought maybe i did something wrong, so i pasted the output in my html page to show me code after "eval".
Once again the result was with "eval", this time i noticed there is a slight change to the code, so i continued changing my html with the output of showme().
After 3 or 4 times i ran this i got a new code in the text area:
"var _escape='%3C%21DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%20%20%3Chead%3E%0A "

Another obfuscation!!!


Ok, this finally looks like the end of the saga, in the end there is a check if the user agent is Rambler or Yandex, Russian sites, guess the attacker is Russian and doesn’t want to phish his own people, another check for "Yaho" , guess this is a typo, and finally unescape the "var _escape" and write the pure html to the page.

So here is the final result:
this was actually picked up by my ISP content filtering, so this 7 layer fileless obfuscation actually works quite well to bypass many filters.


block hXXp://

No comments:

Post a Comment