[Mal Series #2] Phishing Web Page

The sample being analysed is Microsoft Doc phishing HTML file with Corona Virus and WHO name. The file is trying to steal the user’s email credentials, backup account and phone number by lure them to enter their details in a crafted fake HTML site.

Please be careful when dealing with these kind of phishing webpage (e.g. DHL, Dropbox, Paypal, Microsoft etc.) from unknown source.

The html file is embeded with encoded javascript code.

Head of the code snippet
End of the code snippet

To make your life easier, you can extract the javascript code into a new .js file and debug it afterwards. Before that, its recommended to use code beautifier tools in your text editor or use other online tools.

Tips to debug javascript code easily.

Install nodejs & npm

Run command:
$node <filename.js>

Looking at the beautified code, there is one function that is repeatly called in the code. The function is looks like a decrypter and the decrypted strings/code will replace the specific CSS tag that has been declared in HTML file.

Its time to run the node command, but please comment out the line which contains the HTML document related function (e.g. document.write(), ActiveXObject) as it will cause error during runtime.

Run this code!!

Here is the screenshot of decrypted strings in f0gd().

Decrypted HTML header

After glance through the code, seems like the page is interacting with a unknown URL shown in the screenshot below.

Some source loader from the unknown URL
Input form that cheat on the user the enter their credentials

Any data that enter by the user will send to the unknown URL (mostly attacker), then your credential will be exposed to them. :’(

The attacker can gain the access to your account and take over from it.
However, the attacker will have restricted access towards MFA enabled account.

Phishing login page

IOCs
http://11b374[.]b374483[.]96[.]lt

Sample Name
Coronavirus World Health Organization (WHO).html

Sha256
486fbd4bdcb32fd1b37a6abfb878d58cefa94006bd1e2f8e750afaf1038f8861

References

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec