Saturday, October 23, 2021

Shhh we're still hunting Phishers Part 2

Welcome back Phish hunters.

So the first part of the blog series (is two a series?) we looked at different encoding schemes Phishers use in crafting their phishing emails to avoid detection. 

We looked at the two 'easy' ones URL encoding and Base64. After a while you can detect these by sight in pages of logs or code pretty easily.

This next one is a little more complicated. 

But lets start with knowing that html code has to play by the rules of what the browser can interpret, so we can use that to help with our decode.

From our first URL encoding we see the javascript function unescape :

 In the BASE64 we see clear references of the base64 keyword:

Now what can we determine if the html coded looks like this!

We can see that the JavaScript has clearly been obfuscated to avoid human readability and also mail scanners.

We see in the first few lines that there is a function function(p,a,c,k,e,r) . We see this and other weird techniques that do character replacement/substition etc anything to make it hard to read.

This (p,a,c,k,e,r) function is common routine that can be evaluated using the javascript unpacker website kindly provided here .

This converts to an document.write(atob function and we are back to base64 encoding again. encoding1(encoding2(data)) 

Check out the atob function here

The based64 decoded unpacked javascript contains three of these atob functions. So we can take each content string within the atob function and back to CyberChef to see what it contains .. exciting. 

Ok so this appears to be adding EventListeners to disable certain keys including:

 // disable F12 key
 if(e.keyCode == 123) {

 // disable I key
  if(e.ctrlKey && e.shiftKey && e.keyCode == 73){

// disable J key
 if(e.ctrlKey && e.shiftKey && e.keyCode == 74) {

 // Prevent Ctrl+s = disable save
 if (event.ctrlKey && (event.keyCode === 85 || event.keyCode === 83 || event.keyCode ===65 )) {

// disable U key
(e.ctrlKey && e.keyCode == 85) {

F12: Disables a set of tools that you can use to design, debug, or view webpage source code and behavior
Ctrl Shift I: Disables opening the Developer Tools panel
Ctrl+J: Disables opening the console tab in the Developer Tools panel
Ctrl+s : Disables saving the page
Ctrl + U: Disables opening the browser source code page

So basically the Phisher doesn't want us to look behind the curtain Dorothy!!

If we add the 3rd atob base64 encoded string into CyberChef it decodes nicely to readable html

Interesting in this case the Phisher had hacked a legitimate WordPress site and saved some icons, images and css style sheets. 

I find 9/10 of the hacked sites used in Phishing campaigns are running WordPress. So please ensure you your WordPress sites are up to date with their plugins and patching. 

It is also good to send the website owner/host an email to let them know their website is compromised.

One hacked WP site we found was being used to store a PHP script and a nice text file of hundreds of username and passwords that had been captured. We called the business, sent emails and still months later the page was still up! 

I may have flooded it with hundreds of illegitimate username/passwords credentials to attempt to frustrate the Phishers and slow them down.

The stored images appear on the webpage looks familiar. Also, the victim's email was already prefilled. 

So seems legit!

Later in the page we find some more base64 so now we are at the third level of encoding inception. encoding1(encoding2(encoding3(data).

Decoding that block we find it decodes to be a GIF (does ask me to pronounce it, it will certainly divide my six viewers). GIFs are usually not that interesting and contain animated arrows, progress bars etc to trick the victim to thing something is happening. 

The next section of the html code contains a function to capture and POST your credentials.

They code typically contain a email address validity checker via regex.
The code also typically contain a hard coded error when you enter your password the first time. 

These are both to check if you are just trying rubbish looking credentials to confirm if this website if legitimate.

Once you add your second password they then usually take you to.
1. Microsoft login page ,or
2. An error page, or
3. Something specific to original email but not valid. 

In this case, the original Phishing email contained an alert that the victim had an important voicemail waiting for them, Once the went down the rabbit hole it took you to a website that contained an mp3 of voice mail!!   The victim was left confused by voicemail that had nothing to do with them, so thought it  must have been a wrong number.

But within minutes the account was logged into using the stolen credentials and the phishing email had been hard-deleted by the Phisher and then account mayhem!

Now we need to get back to reality from the these layers of encoding. 

Hopefully this has given you an idea of the lengths Phishers will go to to obfuscate their intentions so they can slip into your mail without detection.

Until next time, the hexninja says:

Down the rabbit hole

Phishers encoding data

How low can you go


No comments:

Post a Comment