Thursday, 8 October 2015

Phishing and their "obfuscated" code

PLEASE DO NOT TRY THIS UNLESS YOU KNOW WHAT YOU ARE DOING.

JUST DON'T.

I usually receive a lot of phishing and sometimes i get a mail where they attach a zip file.
after giving that zip to the antivirus, i opened it. i found this 2 files:


Now the .txt file tells you to double click the .js which is a WSH script and is what we are going to "reverse".

Ok, so this is the .js file.


now it looks like a mess.. or maybe not?
if you look closely you'll see something interesting:
There are 2 vars, one long which looks like a key then a longer one which looks like an encrypted message.
After that there is a for loop and what looks like a XOR operation:

Now the most simple cryptographic method is XOR and we have at the start something that looks like a key; So let's clean the code!
To do that, I simply use the search and replace function in Notepad++ (most of the text editors have this function).
So we have our key and our encrypted data (enc_data) and then the loop code

As you can see I commented the eval function since it exec a JavaScript code which is written as a string; since we do not know what there is in out_data (which is our decrypted data) it's better to place a console.log() (yes, I used the browser JavaScript console to exec this because it's more secure then WSH..) which will print what there will be in that out_data.
Before executing that just a few notes:
  1. I changed a little the code to make it more understandable, since there was a long inline code. 
  2. As you can see it takes enc_data and do the XOR operation with the key char by char; when the index i is equals to the length of the key, it will be updated to zero (what it essentially does is the module operation with the length of the key string).

So this is the output of that console.log():


Let's make again some clean up because it looks messy, but as you can see, this is already readable..


Ok this is quite simple:
  • There is a value which I suppose is a date (because i received that the 7 of October and the language of the mail was Italian).
  • Then a declaration of a function which is called 2 times at the end of the code.
  • Inside the function there is an encrypted list (it's a list because there is a .split() at the end of the string which is a method that returns an array of strings)
  • They checks if arg is empty or not and set the extension name which will be used later.
  • There is a for where for each element of the enc_list will do some stuff.
  • At the end, it will call the function 2 times (you'll understand why, later).
This is how the function works:
  1. Allocates a Windows Script Shell object, then it will compose a disk location (i called the variable where); it will be filled with something like: C:\Users\<username>\AppData\Local\Temp\<random number><extension>, where username is the name of the current user and extension is the file extension (".exe" and ".pdf").
  2. Initialize the variable ok to false.
  3. Initialize a XHR object (which is used to download a file from the web).
  4. Tells to the XHRObj that once downloaded the data, place it inside the file C:\Users\<username>\AppData\Local\Temp\<random number><extension> and then execute it.
  5.  Then it decrypts the enc_list one by one and once decrypted it concatenate some strings to make an URL and then tries to download the file.
  6. if it doesn't fail it stops the loop, if not then it changes the list entry and tries again.
Now the reason of that encrypted list is to have different hosts where to get that data. if I decrypt that I get these hosts: 

ENTHELP.COM
www.SMOKEDMEATSANDMORE.COM
ERVINSOLAR.NET
DIGITALCONTACT.COM/wp-content/themes/optimizePressTheme
INNOXFUSTA.COM
MAXMSP.ORG/wp-content/uploads
www.DADSONASSOCIATES.COM

which I expect to be exploited websites where they uploaded their shit (aka those files + some other stuff).

If you clean all the code, removing all the obfuscation you'll get original code:


Now I'll explain the purpose of this "mess" if not clear yet:

What it does is decrypting it's internal data which download 2 file from a host; those 2 files are: an EXE and a PDF which are fetched and executed by calling download_data("") (which will fetch the exe) and download_data("&pdf=FhbanGAKJrjHEGz") (which will fetch the pdf).

Now I do not know what those files are, because i haven't executed that script; I can assume they are harmful programs (since this comes from a phishing mail).

So be always aware of what you are going to execute, because it can be really harmful like this WSH file.

if you do not know what you downloaded, delete it! do not trust what you do not know.

No comments:

Post a Comment