Thursday, December 17, 2015

base64 fileless phishing kit

Phishing kits are boring most of the time, and you cant fight stupid (users).
I have recently came across an interesting kit, thumbs up for the threat actor, if he only worked a bit on his e-mail that he sends to victims (cant share), and it could be much deadlier.

So how this works?
1) Threat actor sends bunch of emails to a big victim list, the email message is some "blabla please sign to DocuSign to view the document in google docs" etc...

Sometime the emails are in html formats so they change the <a href > tag so it would look like legit link when you hover over it, but when you click it sends to a different url.
In this case the attacker chose to use url shortening:
ht=tp://www.bit.ly/1Q5RMSN

This url is pointing to:
hXXp://jqueryapi.info/?getsrc=ok&ref=&url=data%3Atext%2Fhtml%3Bbase64%2CPFNjcmlwdCBMYW5ndWFnZT0nSmF2YXNjcmlwdCc%2BDQoNCmRvY3 ....

full url: http://pastebin.com/rPZ7Dzrt

JQuery you say? The data is base64 blob, if we copy the blob (starting with "PFN") to some decoder we will get some nice clear text like:

<Script Language='Javascript'>

document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67

full: http://pastebin.com/dbv30qp2

Bang, 2nd layer of obfuscation, a JS with unescape obfuscation.
After decoding that we get another clear text, with yet another script!
<script language="javascript" type="text/javascript">var l1l='=oQKpkyJ8dCK0lGbwNnLnkXYsB3cpRmMywHf

full: http://pastebin.com/Vu2mAzV6

Damn son, 3rd layer of obfuscation, with another JS code, containing eval and some custom encryption. Even if we beautify the code it still look nasty.
I don’t really care going all the code with debugger to see exactly what happens, and probably you as well, so lets create an html file with the JS code and change the "eval(_1OI(_1I1(l1l)));" function in the end to "window.alert(_1OI(_1I1(l1l)));"
This simply will print us the evaluated code in an alert box, and if we will open it in a browser we will get the result:

"eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+"

w00t? another eval with custom encryption? 4 obfuscation layers for phishing? dude, you are crazy!
Ok, lets do the trick of window.alert instead of eval again?
Unfortunately the new code is too long for the alert box so it is cut before the end and trying that trick will result an empty page.
So lets go back and change the "eval/window.alert" to "document.write".
We know it is safe to do because we saw in the first trick the output is eval, and not <script>.

full: http://pastebin.com/L3PrgjWK

Ok, now i got stuck for a while, because i tried to apply the previous methods and they didn’t work, while adding document.write to the eval would show the phishing page.
After some googling i found http://handlers.sans.org/dwesemann/decode/
Used #2 - The Tom Liston Method, i got in the result another eval that looked very familiar to the one i had, i thought maybe i did something wrong, so i pasted the output in my html page to show me code after "eval".
Once again the result was with "eval", this time i noticed there is a slight change to the code, so i continued changing my html with the output of showme().
After 3 or 4 times i ran this i got a new code in the text area:
"var _escape='%3C%21DOCTYPE%20html%3E%0A%3Chtml%20lang%3D%22en%22%3E%0A%20%20%3Chead%3E%0A "

Another obfuscation!!!

full: http://pastebin.com/nHXBj5bB

Ok, this finally looks like the end of the saga, in the end there is a check if the user agent is Rambler or Yandex, Russian sites, guess the attacker is Russian and doesn’t want to phish his own people, another check for "Yaho" , guess this is a typo, and finally unescape the "var _escape" and write the pure html to the page.

So here is the final result: http://pastebin.com/xDLTHPTN
this was actually picked up by my ISP content filtering, so this 7 layer fileless obfuscation actually works quite well to bypass many filters.

TL:DR

block hXXp://www.ndsnotebook.com.br/wp-includes/css/themes/

No comments:

Post a Comment