I have observed a new but more of an old-school technique, attackers are adopting to phish the unsuspecting users and glean their credentials. And seriously this was a clever attempt. This was a case of SPAM mail that we received and after my full investigation on that Incident, this case encouraged me to write the technical report which I have never done in my past.
Let’s Begin the Story of My Case
So the mail which I was talking about contained a zip file that came from a domain <firstname.lastname@example.org> or at least appeared to come from a legitimate domain <sasol.com>. Also the header details seemed fine to me as the “From and Return-Path” both were same and Agari score was good enough to trust the domain plus the e-mail authentication protocols like Sender Policy Framework or SPF, an open standard that specifies a method for preventing sender address forgery, resulting in “spf=Pass” identifies that the domain has the legitimate e-mail sources and prevents unauthorized sources from sending thousands of illicit e-mails from your domain but the DKIM (Domain Key Identified Mail) has the policy record set to “none” which means the message was not signed. However, an organization should use DKIM in addition to SPF and DMARC to help prevent spoofers from sending messages that look like they are coming from your domain. All the information in the header of the e-mail looked fine but the attachment that too in a zip format gave me a benefit of doubt.
So I grabbed that zip file and dropped onto my virtual machine for further analysis. Upon extracting the zip file I was provided with an HTML page.
What’s So Unique About This Mail?
At the start, it all seemed nothing and just a simple HTML page. Exactly what’s so unique or interesting in that? Yeah, it’s just an HTML page. But that page when clicked inside VM popped up an error window and with that error, I got an idea that it is running a script behind the scene.
Pic 1: Pop Up error when clicked on that HTML page
Connecting the DOTS!
Finally grabbed all the encoded code that was wrapped within the unescape function and decoded it with the help of one the decoder tools available online and bit by bit I was able to find the clues and was getting closer to achieve my goal. And finally I have the full HTML page with me but it was not in a good form. I mean it was not properly structured or you can say not properly formatted.
Yes, that’s what the main objective of the attackers is: to make their code harder to understand but keeping the logic intact so that it becomes difficult for the malware analysts to perform an investigation. And they try to make it more complex but what I encountered, in this case, was very simple. One should look out for code obfuscation techniques to battle around with this. And just to let you know the more complex code you see the more difficult it becomes to decode and more frustrating you will get. Mind my words! Just keep patience and don’t try to understand each and every single line of the code. Instead, try to understand the functionality.
So what’s next then? I asked my best friend Google for the “HTML Beautifier” and used one of the beautifier tools available on the Internet. And it presented me with a sweet piece of code nicely formatted with extra spaces and proper indentation. Bang! It was more like winning the trophy at some race.
Pic 4: Formatted HTML code after applying beautifier
It’s time to analyze the code and keep an eye on anything that looks suspicious and that says wait a minute what this thing is even doing over there? Well earlier, I got the sense that the mail is related to some sort of phishing template but I wanted to dig deeper into the ocean of codes before coming to the final conclusions. So in this part, I focused on the area of code where form handling is done as phishing has always to with the forms to phish users. And I noticed a suspicious URL “hxxp://ruffelco.com/poscen.php/” within the form action where all the credentials will be sent once the user enters his/her personal details like username or password. Clever… But got busted!!
Pic 5: Different URL was spotted in the form action
Pic 6: Revealed Phishing Image of Salesforce
So this was how I was managed to connect the dots and was able to get the bottom of the case. Finally, the case was closed after opening the necessary TASKs for the different department.
Pic7: VirusTotal Results
Preparation of IOCs
Hash File of Attachment (RFQU527077.html):-
SHA-256: VirusTotal Scan Results