This blog investigates an interesting phishing campaign we encountered recently. In this campaign, the email subject pertains to a price revision followed by numbers. There is no email body but there is an attachment about an ”investment”. The convoluted filename of the attachment contains characters that are not allowed in the naming convention of a file, noticeably the vertical. Although, as you can see below, while "xlsx" is in the filename, double-clicking the attachment will prompt to open the attachment with the default web browser. Thus, the file indeed appears to be an HTML document.
Figure 1. Attachment of the email has two extensions, an Excel? No, it’s HTML.
Before diving into more details about the HTML file attachment, below is an overview diagram of how the phishing routine was carried out.
Figure 2. How phishing was executed
We first checked out the HTML file attachment with a text editor to view the contents. It is noticeable that a chunk of text is URL Encoded. We turned to a favorite tool, CyberChef, and used its URL Decode function. It revealed more encoded text, some HTML Entity code.
Figure 4. JS Script containing URL Encoded texts unveils Part 1 and Part 2 of the HTML code
Figure 5. JS Script containing Base64 texts unveils Part 3 and Part 4 of the HTML code
By now we had decoded a bunch of encoded texts which are now mostly readable. In a nutshell, to better understand how it all happened in the background, check the table representation below.
Figure 6. The HTML Lego, stack ‘em up, you’ll see the big picture: Phishing Page
We copied over 367 lines of decoded HTML code in order, combined all five parts into a text file editor, and saved the file as test.htm. Remember the last part of the HTML code at the bottom of the original email attachment we mentioned a while ago? We added that as the last part of the HTM file.
In that final part of the code, we inserted a dummy Base64 Encoded email address (“firstname.lastname@example.org”) to replace one line where the original recipient’s Base64 encoded email address had been.
Figure 7. Setting out the bait email address
We then opened test.htm in a web browser. It pops up a message box notification suggesting the user has been logged out of their account and needs to log in once more. This phishing campaign is aimed at Microsoft Office365 users as the web UI is designed to mimic a login interface of Microsoft, complete with logo. There is also a blurred image of an invoice of some company in the background so that in order to see it properly, victims are lured to key in their password.
Figure 8. This phishing page is targeting Office 365 users.
The email address is automatically populated since we manipulated one into the code. But we also opted to key in an invalid email address. The phishing page has a Regular Expression validator for email addresses. Password keys are hidden masked characters. We keyed in a dummy password – “mydummypassword” in the password field. There is also a validator in this field for a blank password.
Figure 9. Phishing page validates email address format and password length.
After hitting the "Next" button on the phishing page, we were able to capture the HTTP POST request to the form URL. It sends the stolen information: email address, on the user field and password on the pass field. As of this writing, the said URL is still online, probably harvesting credentials from its victims. The form URL has a 302 HTTP response which means redirection to another webpage location. The redirection page is now blocked as a phishing website.
Figure 10. Captured HTTP POST Request and Webpage Redirection
FileName: hercus-Investment 547183-xlsx.H t m l