In this blog post, we describe a phishing attack observed by Polito, Inc., which uses an obfuscated JavaScript attachment. We will then show how to analyze the malicious obfuscated JavaScript by following the attack chain through some static and dynamic testing. It will show how the analyzed code was designed to capture Microsoft O365 credentials and upload them to a website.
This specific attack is interesting; attackers are often looking for new and creative ways to deliver their payloads. Their purpose in doing so is multi-folded:
An attempt to bypass security products
An attempt to bypass security training
An attempt to harvest credentials from unsuspecting users
Even potential victims may have been trained to avoid opening documents, scripts, and executables from unknown senders, it is nowadays important to be careful with almost any file type.
Malicious file attachment:
To protect the privacy of the individual that received this file, all identifying information has either been redacted or obscured.
An executive received a suspicious email, which they were concerned was sent by a threat actor. The email looked like an eFax message with a poorly worded .htm attachment. The attachment appeared to be a recycled lure of a voicemail attachment as can be seen by the Play button and the 37 secs in the file description.
Figure 1 - Spam email with the attachment
Malware analysis:
The initial phishing message was sent via an attached.htm file named “(redacted) ▶ ─────── 01mins37secs.htm”. The individual did not open the email, but sent a copy of the attachment for analysis. We were unable to obtain email headers of the original email.
Static Analysis:
I first opened the .htm file using Notepad++ to gain initial insight. I could see that this file contained obfuscated JavaScript programing language.
Figure 2 - Partially obfuscated JavaScript Code
The first step was attempt to de-obfuscate the code. I used an online tool from Coder’s Toolbox to perform this, with the settings for URL, Decode, and US-ASCII. This approach provided an output of readable code:
Figure 3 - Using Coder’s Toolbox to de-obfuscate the JavaScript Code
I then used another online tool named js-beautify to clean up the code and make it more presentable:
Figure 4 - Using js-beautify to clean up the JavaScript Code
Line 3: Contains the recipient of the phishing email
Line 4: Contains a Base64 encoded URL link to a php file
Line 6: Is a self-contained webpage that replicated a Microsoft Login page
Since this code contained an URI Component, it was time to extract some more information. I used Mozilla’s developer tool decodeURI() by pasting in the portions in-between the script and we got what was a prompt to enter our Microsoft Password:
Figure 5 - Prompt to enter a password
Dynamic Analysis:
Using Developer tools from Google Chrome and reloading the .htm page, we can gain some insightful information from the Headers. Here we can see a request to a URL that calls file labeled “o365.php”.
Figure 6 - Headers of the .htm file
Through a series of JavaScript commands and encodings the captured information, along with other information such as IP address and User-Agent String, are uploaded to the follow URL: https[:]//redacted/../o365logz.txt
Figure 7 – Web directory of the malicious URL
Figure 8 – Information that is upload and stored by the malicious code
How was this possible?
Providers such as Google, flag malicious websites when they present a risk for users in the form of malware. From what it appears, this site has only been around for approximately 4 months, and is not flagged as malicious by a few vendors.
Figure 9 – VirusTotal giving a clean score to the malicious URL
Figure 10 – AlienVault not seeing any activity associated with the site
How can you protect yourself?
Since spam and phishing emails can take a variety of forms, we suggest the following:
Never open emails and/or attachments from untrusted sources. If you have received an email that looks “out of the norm”, it is always better to report it to your IT support team or email provider
Never enter you credentials in a website that is missing the “https” in the beginning of the URL e.g. “https[:]//login.microsoft.com” is the correct URL. The URL “http[:]//login.microssoft.com” is not
Block the spam email address
Delete the spam email message
Keep your device’s OS, software and anti-malware software up to date
Original blog post can be found at: https://www.politoinc.com/post/malicious-efax-attachments-can-potentially-steal-your-microsoft-o365-password
Comments