Mar 31, 2020
[Mal Series #2] Phishing Web Page
The sample being analysed is Microsoft Doc phishing HTML file with Corona Virus and WHO name. The file is trying to steal the user’s email credentials, backup account and phone number by lure them to enter their details in a crafted fake HTML site.
Please be careful when dealing with these kind of phishing webpage (e.g. DHL, Dropbox, Paypal, Microsoft etc.) from unknown source.
The html file is embeded with encoded javascript code.
To make your life easier, you can extract the javascript code into a new .js file and debug it afterwards. Before that, its recommended to use code beautifier tools in your text editor or use other online tools.
Tips to debug javascript code easily.
Install nodejs & npm
Run command:
$node <filename.js>
Looking at the beautified code, there is one function that is repeatly called in the code. The function is looks like a decrypter and the decrypted strings/code will replace the specific CSS tag that has been declared in HTML file.
Its time to run the node command, but please comment out the line which contains the HTML document related function (e.g. document.write(), ActiveXObject) as it will cause error during runtime.
Here is the screenshot of decrypted strings in f0gd().
After glance through the code, seems like the page is interacting with a unknown URL shown in the screenshot below.
Any data that enter by the user will send to the unknown URL (mostly attacker), then your credential will be exposed to them. :’(
The attacker can gain the access to your account and take over from it.
However, the attacker will have restricted access towards MFA enabled account.
IOCs
http://11b374[.]b374483[.]96[.]lt
Sample Name
Coronavirus World Health Organization (WHO).html
Sha256
486fbd4bdcb32fd1b37a6abfb878d58cefa94006bd1e2f8e750afaf1038f8861
