Let's take a look at this new credSteal phishing campaign that is actively targeting users globally currently. The campaign has been carefully crafted and the JS delivery method is clever (although seen widely before as well).
The entire page is presented off the back of the Document.write function from the JS code that is called in by the initial html.
The malicious JS is not being detected as malicious by any AV engine at the time of this post (SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3).
Pretty neat - let's take a look.
Here's the phish that comes in:
There's the htm attachment, which the user is directed to download to disk and then launch locally (no call-out required):
Let's take a look at the html code:
As you can see above, the HTML is simply calling the JS script, which is hosted externally. Upon execution, this script will load the entire fake HTML page that will submit user-input to the C2.
Let's take a quick look at the code from swf.js - it is important not to get over-whelmed by the code here. It may look a bit too much, but is quite easy to decode. All we need to do is change one function in the code and it'll sing to our tune!
But first, let's take a look at the HTML file that is downloaded from the phishing email. As always, they try to steal as much PI as possible (even the email account with password). When opened in a browser, this is what it looks like:
When we inspect the form code, we can clearly see that the POST request goes to the collection engine hosted at "manoda.se" - this is where all the stolen information is sent to.
And now, let's take a look at the function in the JS code that loads the entire fake page onto the browser.
Once the loop has been executed, the value of var x is ready to be executed. In this case, 'document.write' is used to convert the code into HTML and display it in the browser. Using this JS code itself, we can get the script to decode and display the entire obfuscated code.
The simple trick is to change the 'document.write' to 'WScript.echo' - that's it. Run the script, it'll simply display the entire de-coded HTML in a pop-up window. You can also output the result into a text file using CScript.
The delivery method has been around for a while now - it surely helps with not having to go through the proxy/firewall for at least one step.
Here are some usable/actionable details:
FileName: swf.js
SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3
https://justforgame[.]it/vserv/swf.js
http://www.manoda[.]se/socket/license/lib/etc/spoof.php