Shhh we're still hunting Phishers Part 2

Welcome back Phish hunters.

So the first part of the blog series (is two a series?) we looked at different encoding schemes Phishers use in crafting their phishing emails to avoid detection. 

We looked at the two 'easy' ones URL encoding and Base64. After a while you can detect these by sight in pages of logs or code pretty easily.

This next one is a little more complicated. 

But lets start with knowing that html code has to play by the rules of what the browser can interpret, so we can use that to help with our decode.

From our first URL encoding we see the javascript function unescape :

 In the BASE64 we see clear references of the base64 keyword:

Now what can we determine if the html coded looks like this!

We can see that the JavaScript has clearly been obfuscated to avoid human readability and also mail scanners.

We see in the first few lines that there is a function function(p,a,c,k,e,r) . We see this and other weird techniques that do character replacement/substition etc anything to make it hard to read.

This (p,a,c,k,e,r) function is common routine that can be evaluated using the javascript unpacker website kindly provided here https://matthewfl.com/unPacker.html .

This converts to an document.write(atob function and we are back to base64 encoding again. encoding1(encoding2(data)) 

Check out the atob function here https://html.spec.whatwg.org/multipage/webappapis.html#atob

The based64 decoded unpacked javascript contains three of these atob functions. So we can take each content string within the atob function and back to CyberChef to see what it contains .. exciting. 

Ok so this appears to be adding EventListeners to disable certain keys including:

 // disable F12 key

 if(e.keyCode == 123) {

 // disable I key

  if(e.ctrlKey && e.shiftKey && e.keyCode == 73){

// disable J key

 if(e.ctrlKey && e.shiftKey && e.keyCode == 74) {

 // Prevent Ctrl+s = disable save

 if (event.ctrlKey && (event.keyCode === 85 || event.keyCode === 83 || event.keyCode ===65 )) {

// disable U key

(e.ctrlKey && e.keyCode == 85) {

F12: Disables a set of tools that you can use to design, debug, or view webpage source code and behavior

Ctrl Shift I: Disables opening the Developer Tools panel

Ctrl+J: Disables opening the console tab in the Developer Tools panel

Ctrl+s : Disables saving the page

Ctrl + U: Disables opening the browser source code page

So basically the Phisher doesn't want us to look behind the curtain Dorothy!!

If we add the 3rd atob base64 encoded string into CyberChef it decodes nicely to readable html

Interesting in this case the Phisher had hacked a legitimate WordPress site and saved some icons, images and css style sheets. 

I find 9/10 of the hacked sites used in Phishing campaigns are running WordPress. So please ensure you your WordPress sites are up to date with their plugins and patching. 

It is also good to send the website owner/host an email to let them know their website is compromised.

One hacked WP site we found was being used to store a PHP script and a nice text file of hundreds of username and passwords that had been captured. We called the business, sent emails and still months later the page was still up! 

I may have flooded it with hundreds of illegitimate username/passwords credentials to attempt to frustrate the Phishers and slow them down.

The stored images appear on the webpage looks familiar. Also, the victim's email was already prefilled. 

So seems legit!

Later in the page we find some more base64 so now we are at the third level of encoding inception. encoding1(encoding2(encoding3(data).

Decoding that block we find it decodes to be a GIF (does ask me to pronounce it, it will certainly divide my six viewers). GIFs are usually not that interesting and contain animated arrows, progress bars etc to trick the victim to thing something is happening. 

The next section of the html code contains a function to capture and POST your credentials.

They code typically contain a email address validity checker via regex.

The code also typically contain a hard coded error when you enter your password the first time. 

These are both to check if you are just trying rubbish looking credentials to confirm if this website if legitimate.

Once you add your second password they then usually take you to.

1. Microsoft login page www.office.com ,or

2. An error page, or

3. Something specific to original email but not valid. 

In this case, the original Phishing email contained an alert that the victim had an important voicemail waiting for them, Once the went down the rabbit hole it took you to a website that contained an mp3 of voice mail!!   The victim was left confused by voicemail that had nothing to do with them, so thought it  must have been a wrong number.

But within minutes the account was logged into using the stolen credentials and the phishing email had been hard-deleted by the Phisher and then account mayhem!

Now we need to get back to reality from the these layers of encoding. 

Hopefully this has given you an idea of the lengths Phishers will go to to obfuscate their intentions so they can slip into your mail without detection.

Until next time, the hexninja says:

Down the rabbit hole

Phishers encoding data

How low can you go

 

Shhh we're hunting Phishers... %50%68%69%73%68%69%6E%67 or UGhpc2hpbmc=

So the HexNinja has been spending a lot of time going Phishing. Well more correctly examining phishing emails and watching them evolve and do their best to avoid SPAM detection while also gaining your confidence.

One of the questions I get asked is how the Phishing email got into our mail system without being flagged as malicious.

 

Besides obvious issues of SPF DKIM DMARC or lack thereof I am finding many phishing emails containing htm attachments. 

They always have a great title like Remittance #763.htm or Invoice #692.htm and if your job is to process payments and balance the books and the email has come from a known contact that is a customer or supplier then the motivation to open a htm attachment is high.

Examining the contents of many htm files they don't look like human readable htm formats. To obfuscate their contents they will rely on a one or a combination of encoding to hide their true intentions and also so fool your email protection systems.

So armed with CyberChef  https://gchq.github.io/CyberChef/ we can begin experimenting with how the files are encoded.

The four main techniques I am seeing are:

• URL encoding
• Base64
• Hexidecimal encoding
• Javascript packing

In this first post I will look at URL and BASE64 encoding.

In this second post I will look at Hexidecimal and Javascript packing.

The more difficult decodes involve a combination of these but lets walk before we run.

URL ENCODING

So if we open the htm file in a text editor and we see something like this

We can see that the quoted block has been url encoded and wrapped in a javascript decode function 'unescape'. 

URL encoding is a way that website url and wepages can encoded special characters such as spaces %20 or other special characters. Normally a url string only encoded these special characters in but it can also be used to encode a whole string. 

Basically it converts the string to bytes, encoded each byte to hex and separates each byte with a %.

Eg www.thehexninja.com would be 

  %77%77%77%2e%74%68%65%68%65%78%6e%69%6e%6a%61%2e%63%6f%6d

Try pasting that string into your browser and it automatically resolves to www.thehexninja.com.

We can get Cyberchef to do the heavy lifting of url decoding. We can copy all the encoded block within the quotes and paste it into Cyberchef using the URL Decode function as shown below.

This would obviously render to a simple embedded link as shown below

So we can see how this simple technique can be used to evade basic mail scanners, especially if the embedded link is not malicious such as a OneDrive, DropBox, SharePoint or a page on a another website.

Base64 Encoding

Sometimes the htm attachment contains base64 encoded sections, typically images prefixed with the type of image images/png or images/jpg

We can copy these encoded sections and paste into cyberchef (From Base 64)

We can now paste the Hex output into a hexeditor and save it as a JPG (image/jpeg) or PNG  (image/png). 

The first PNG image decodes to

The second image is a JPG and renders as:

The 3rd image decodes to:

The forth image decodes to 

When these images are overlayed they appear as

This is the classic spoofed Microsoft Office 365. 

Hiding beneath the enticing image/webpage is the the code which basically accepts a post of the password and username in a POST to a google form, essentially capturing the victims credentials 

 

Until next time, the hexninja says:

Stop Sneaky Phishers!

Encoding to Hide Data

Never Trust The Phish

Getting hashes to Virus Total from an Isolated Virtual Machine

Sometimes when I am testing in a Virtual Machine (VM) I really lock down the isolation. 

No shared folders. 

No bidirectional clipboards. 

No network. 

I may be paranoid but it is 'mildly discomforting' to see malware (ransomware) under test, encrypt your shared folder and then your host AV or Bitdefender start to lose it with Virus detections. 

This usually doesn't happen but when it does you can have a cold sweat moment that somehow the malware has not only jumped to a shared folder and doing what it does best. It is normally just a detection of the encrypted file or ransom note but once I have transferred the files for testing it is a good idea to check and double check your isolation. 

At a first pass when looking for suspected malware dll or exe files I like to upload the hash or suspicious files to Virus Total or Hybrid Analysis

https://www.virustotal.com/gui/home/search

OR

https://www.hybrid-analysis.com/

However with an isolated system I am also limited by how to check the hash. I can't copy it across from the VM guest to host or check directly in a browser as I have isolated my VM. 

During this last year of Covid-19 I have used more QR codes than I have ever have so I had a thought to create a script that calculates the hash and generates a QR code that embeds the hash in the url so it will redirect to a prefilled Virus Total or Hybrid Analysis. 

I can then get the script to show the QR code on the screen and I can capture it in the host or even use a mobile phone to capture the QR to a browser .

Normally, I code in Python but thought I would punish myself and see if I could do it in Python3 and C#.

Python 3 

The python code uses a QR code generating library pyqrcode  and the hashlib library.

These can be installed using pip  

https://pypi.org/project/PyQRCode/

https://pypi.org/project/hashlib/

>pip install PyQRCode

>pip install hashlib

The general functional flow is 

1. Get filename from argument

2. Calculate SHA256 hash

3. Append SHA256 hash to url string ie 'https://www.virustotal.com/gui/file/'+ sha256_hash

4. Generate and display the QR code of this url

The python script is called from the command line using the suspicious file as an argument  to call the function with the suspect file 

> python3 qrcode_gen.py c:\abc.exe

import pyqrcode
import argparse
import hashlib
import os

BUF_SIZE = 1048576 

def calc_hashes(filename):
    md5 = hashlib.md5()
    sha256 = hashlib.sha256()    
    with open(filename, 'rb') as fp:
        while True:
            data = fp.read(BUF_SIZE)
            if not data:
                break
    return md5.hexdigest().upper(),sha256.hexdigest().upper()

# input file to create sha256 hash
parser = argparse.ArgumentParser()
parser.add_argument('filename')
args = parser.parse_args()
md5_hash,sha265_hash=calc_hashes(args.filename)
vt_url='https://www.virustotal.com/gui/file/'+ sha265_hash
print(vt_url)
    
qr = pyqrcode.create(vt_url)
qr.show()

This QR code image will pop up in the image viewer and we can capture it with a phone camera app or QR code scanner.

 

The linked URL will then open up and we can see this was a Wannacry malware. 

C#

The C# program uses two libraries, System.Security.Cryptography to calculate the hashes and ZXing to create the QR code.

Unlike the Python version this C# requires a location to store the image that we parse to the command line program. A memory only version is underway but it is a little more complicated.

>qr_hash.exe C:\tmp\123.txt C:\tmp\123.jpg

The workflow is much the same as the python version except that it saves the QR image as a JPG then it uses a shell process to open the image in the default image viewer.

using System;
using System.Security.Cryptography;
using System.IO;
using ZXing;
using System.Drawing;
using System.Diagnostics;

namespace QR_Hash
{
    class Program
    {
        static void Main(string[] args)
        {
            if (args.Length == 2)
            {
                string filenpath = args[0];
                string imagepath = args[1];
                string hash_string;

                if (File.Exists(filenpath) == true)
                {
                    using (var sha256 = SHA256.Create())
                      
                    {
                        using (var stream = File.OpenRead(filenpath))
                        {
                            var hash = sha256.ComputeHash(stream);
                            hash_string = BitConverter.ToString(hash).Replace("-", "").ToLowerInvariant();
                        }
                    }
                    var QCwriter = new BarcodeWriter();
                    QCwriter.Format = BarcodeFormat.QR_CODE;
                    QCwriter.Options = new ZXing.Common.EncodingOptions
                    {
                        Width = 400,
                        Height = 400
                    };
                    string vt_url = "https://www.virustotal.com/gui/file/" + hash_string;
                    var result = QCwriter.Write(vt_url);
                    using (var g = Graphics.FromImage(result))
                    using (var font = new Font(FontFamily.GenericMonospace, 8))
                    using (var brush = new SolidBrush(Color.Black))
                    using (var format = new StringFormat() { Alignment = StringAlignment.Center })
                    {
                        int margin = 5, textHeight = 30;
                        var rect = new RectangleF(margin, result.Height - textHeight,
                                                  result.Width - 2 * margin, textHeight);
                        g.DrawString(vt_url, font, brush, rect, format);
                    }
                    result.Save(imagepath);
                    var p = new Process();
                    p.StartInfo = new ProcessStartInfo(@imagepath)
                    {
                        UseShellExecute = true
                    };
                    p.Start();
                    
                }
            }
         }
    }
}

This C# version also add a nice URL link to the bottom of the image 

So there you have it, 2 basic programs to help you get the hash out of a VM via the screen. Noice!

As the hex ninja says.

Finding malware now,

Is easy with QR codes,

Keep safe from malware