+ -

Pages

Saturday, April 28, 2018

Amex Phishing Campaign, JS encoded in htm file | April 2018


Let's take a look at this new credSteal phishing campaign that is actively targeting users globally currently. The campaign has been carefully crafted and the JS delivery method is clever (although seen widely before as well). 
The entire page is presented off the back of the Document.write function from the JS code that is called in by the initial html. 

The malicious JS is not being detected as malicious by any AV engine at the time of this post (SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3). 

Pretty neat - let's take a look. 

Here's the phish that comes in: 


There's the htm attachment, which the user is directed to download to disk and then launch locally (no call-out required):
Let's take a look at the html code:


As you can see above, the HTML is simply calling the JS script, which is hosted externally. Upon execution, this script will load the entire fake HTML page that will submit user-input to the C2. 

Let's take a quick look at the code from swf.js - it is important not to get over-whelmed by the code here. It may look a bit too much, but is quite easy to decode. All we need to do is change one function in the code and it'll sing to our tune!


But first, let's take a look at the HTML file that is downloaded from the phishing email. As always, they try to steal as much PI as possible (even the email account with password). When opened in a browser, this is what it looks like:




When we inspect the form code, we can clearly see that the POST request goes to the collection engine hosted at "manoda.se" - this is where all the stolen information is sent to. 



And now, let's take a look at the function in the JS code that loads the entire fake page onto the browser. 


Once the loop has been executed, the value of var x is ready to be executed. In this case, 'document.write' is used to convert the code into HTML and display it in the browser. Using this JS code itself, we can get the script to decode and display the entire obfuscated code.

The simple trick is to change the 'document.write' to 'WScript.echo' - that's it. Run the script, it'll simply display the entire de-coded HTML in a pop-up window. You can also output the result into a text file using CScript. 



The delivery method has been around for a while now - it surely helps with not having to go through the proxy/firewall for at least one step. 

Here are some usable/actionable details:

FileName: swf.js
SHA-256: 21e9e71186e3bc725c4bf88da1192eff25335a408a5aede56787a3295df501d3


https://justforgame[.]it/vserv/swf.js

http://www.manoda[.]se/socket/license/lib/etc/spoof.php


5 RakshaTec: April 2018 Let's take a look at this new credSteal phishing campaign that is actively targeting users globally currently. The campaign has been...

Tuesday, April 10, 2018

Malware Alert: Schneiken Double Dropper

** UPDATE **
I have now published a full analysis of this malware. As of now, (17 APR 2018) there is still no AV detecting it successfully and there is no name for it so I'm going with 'Schneiken'. 

There is a new malware actively being served through phishing campaigns at the time of this post.

This is the Schneiken dropper - which is an interesting malware, written in VBS and comes with multiple layers of code obfuscation. It drops TWO RATs on the victim's disk - the Duhini RAT and the RATTY JRAT. Both RATs are embedded into the vbs dropper.

I'll be posting a detailed analysis of this malware soon and will update this post with the link to that.

Here are the details in the meantime:

Flow:
Phish > HREF > PDF > HREF > ZIP > VBS > JRAT + Duhini RAT

MD5: 47f21544a7479cae3e20488731ba6aa6
SHA256: d5f56058608f8dabb9d19c432c751f99f994edd056b2846ac51915258494598a
Filename: TT COPY.vbs

JRAT that is being dropped by this malware:

RATTY.jar
MD5: 9b93c76d2dacf7adaacfc1e99dae8089

Deobfuscated/Decoded files: https://github.com/vithakur/schneiken
 
5 RakshaTec: April 2018 ** UPDATE ** I have now published a full analysis of this malware. As of now, (17 APR 2018) there is still no AV detecting it successfully...

Wednesday, April 4, 2018

An in-depth malware analysis of QuantLoader

Published this article on QuantLoader, if interested, have a read here:

 https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/
5 RakshaTec: April 2018 Published this article on QuantLoader, if interested, have a read here :  https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-dep...
< >