Saturday, October 23, 2021

Shhh we're still hunting Phishers Part 2

Welcome back Phish hunters.

So the first part of the blog series (is two a series?) we looked at different encoding schemes Phishers use in crafting their phishing emails to avoid detection. 

We looked at the two 'easy' ones URL encoding and Base64. After a while you can detect these by sight in pages of logs or code pretty easily.

This next one is a little more complicated. 

But lets start with knowing that html code has to play by the rules of what the browser can interpret, so we can use that to help with our decode.

From our first URL encoding we see the javascript function unescape :




 In the BASE64 we see clear references of the base64 keyword:




Now what can we determine if the html coded looks like this!



We can see that the JavaScript has clearly been obfuscated to avoid human readability and also mail scanners.

We see in the first few lines that there is a function function(p,a,c,k,e,r) . We see this and other weird techniques that do character replacement/substition etc anything to make it hard to read.

This (p,a,c,k,e,r) function is common routine that can be evaluated using the javascript unpacker website kindly provided here https://matthewfl.com/unPacker.html .


This converts to an document.write(atob function and we are back to base64 encoding again. encoding1(encoding2(data)) 

Check out the atob function here https://html.spec.whatwg.org/multipage/webappapis.html#atob

The based64 decoded unpacked javascript contains three of these atob functions. So we can take each content string within the atob function and back to CyberChef to see what it contains .. exciting. 



Ok so this appears to be adding EventListeners to disable certain keys including:

 // disable F12 key
 if(e.keyCode == 123) {

 // disable I key
  if(e.ctrlKey && e.shiftKey && e.keyCode == 73){

// disable J key
 if(e.ctrlKey && e.shiftKey && e.keyCode == 74) {

 // Prevent Ctrl+s = disable save
 if (event.ctrlKey && (event.keyCode === 85 || event.keyCode === 83 || event.keyCode ===65 )) {

// disable U key
(e.ctrlKey && e.keyCode == 85) {

F12: Disables a set of tools that you can use to design, debug, or view webpage source code and behavior
Ctrl Shift I: Disables opening the Developer Tools panel
Ctrl+J: Disables opening the console tab in the Developer Tools panel
Ctrl+s : Disables saving the page
Ctrl + U: Disables opening the browser source code page


So basically the Phisher doesn't want us to look behind the curtain Dorothy!!

If we add the 3rd atob base64 encoded string into CyberChef it decodes nicely to readable html

Interesting in this case the Phisher had hacked a legitimate WordPress site and saved some icons, images and css style sheets. 

I find 9/10 of the hacked sites used in Phishing campaigns are running WordPress. So please ensure you your WordPress sites are up to date with their plugins and patching. 

It is also good to send the website owner/host an email to let them know their website is compromised.

One hacked WP site we found was being used to store a PHP script and a nice text file of hundreds of username and passwords that had been captured. We called the business, sent emails and still months later the page was still up! 

I may have flooded it with hundreds of illegitimate username/passwords credentials to attempt to frustrate the Phishers and slow them down.



The stored images appear on the webpage looks familiar. Also, the victim's email was already prefilled. 

So seems legit!





Later in the page we find some more base64 so now we are at the third level of encoding inception. encoding1(encoding2(encoding3(data).





Decoding that block we find it decodes to be a GIF (does ask me to pronounce it, it will certainly divide my six viewers). GIFs are usually not that interesting and contain animated arrows, progress bars etc to trick the victim to thing something is happening. 




The next section of the html code contains a function to capture and POST your credentials.

They code typically contain a email address validity checker via regex.
The code also typically contain a hard coded error when you enter your password the first time. 

These are both to check if you are just trying rubbish looking credentials to confirm if this website if legitimate.

Once you add your second password they then usually take you to.
1. Microsoft login page www.office.com ,or
2. An error page, or
3. Something specific to original email but not valid. 

In this case, the original Phishing email contained an alert that the victim had an important voicemail waiting for them, Once the went down the rabbit hole it took you to a website that contained an mp3 of voice mail!!   The victim was left confused by voicemail that had nothing to do with them, so thought it  must have been a wrong number.

But within minutes the account was logged into using the stolen credentials and the phishing email had been hard-deleted by the Phisher and then account mayhem!




Now we need to get back to reality from the these layers of encoding. 

Hopefully this has given you an idea of the lengths Phishers will go to to obfuscate their intentions so they can slip into your mail without detection.

Until next time, the hexninja says:

Down the rabbit hole

Phishers encoding data

How low can you go

 



Friday, October 22, 2021

Shhh we're hunting Phishers... %50%68%69%73%68%69%6E%67 or UGhpc2hpbmc=

So the HexNinja has been spending a lot of time going Phishing. Well more correctly examining phishing emails and watching them evolve and do their best to avoid SPAM detection while also gaining your confidence.

One of the questions I get asked is how the Phishing email got into our mail system without being flagged as malicious.

 


Besides obvious issues of SPF DKIM DMARC or lack thereof I am finding many phishing emails containing htm attachments. 

They always have a great title like Remittance #763.htm or Invoice #692.htm and if your job is to process payments and balance the books and the email has come from a known contact that is a customer or supplier then the motivation to open a htm attachment is high.

Examining the contents of many htm files they don't look like human readable htm formats. To obfuscate their contents they will rely on a one or a combination of encoding to hide their true intentions and also so fool your email protection systems.

So armed with CyberChef  https://gchq.github.io/CyberChef/ we can begin experimenting with how the files are encoded.

The four main techniques I am seeing are:

  • URL encoding
  • Base64
  • Hexidecimal encoding
  • Javascript packing
In this first post I will look at URL and BASE64 encoding.
In this second post I will look at Hexidecimal and Javascript packing.

The more difficult decodes involve a combination of these but lets walk before we run.

URL ENCODING


So if we open the htm file in a text editor and we see something like this



We can see that the quoted block has been url encoded and wrapped in a javascript decode function 'unescape'. 

URL encoding is a way that website url and wepages can encoded special characters such as spaces %20 or other special characters. Normally a url string only encoded these special characters in but it can also be used to encode a whole string. 
Basically it converts the string to bytes, encoded each byte to hex and separates each byte with a %.

Eg www.thehexninja.com would be 

  %77%77%77%2e%74%68%65%68%65%78%6e%69%6e%6a%61%2e%63%6f%6d

Try pasting that string into your browser and it automatically resolves to www.thehexninja.com.

We can get Cyberchef to do the heavy lifting of url decoding. We can copy all the encoded block within the quotes and paste it into Cyberchef using the URL Decode function as shown below.




This would obviously render to a simple embedded link as shown below

So we can see how this simple technique can be used to evade basic mail scanners, especially if the embedded link is not malicious such as a OneDrive, DropBox, SharePoint or a page on a another website.

Base64 Encoding

Sometimes the htm attachment contains base64 encoded sections, typically images prefixed with the type of image images/png or images/jpg




We can copy these encoded sections and paste into cyberchef (From Base 64)


We can now paste the Hex output into a hexeditor and save it as a JPG (image/jpeg) or PNG  (image/png). 

The first PNG image decodes to



The second image is a JPG and renders as:


The 3rd image decodes to:


The forth image decodes to 



When these images are overlayed they appear as



This is the classic spoofed Microsoft Office 365. 

Hiding beneath the enticing image/webpage is the the code which basically accepts a post of the password and username in a POST to a google form, essentially capturing the victims credentials 


 

Until next time, the hexninja says:

Stop Sneaky Phishers!

Encoding to Hide Data

Never Trust The Phish