Home A Phishing Mail that stabs in the Back
Post
Cancel

A Phishing Mail that stabs in the Back

Posted Oct 3, 2022 Updated Apr 11, 2023
By Fukuro
2 min read

On the date of 2022-09-26, I’ve got a sus mail from someone pretending to be a professor that I know pretty well, so damn well that I know she would never send me a mail with spelling errors.

For the respect of my professors and my school’s privacy, I will redact (figuratively) names, and I will also be changing name of some files.

The mail had a file called: somethingImportant.zip

I gues it’s the malware the attacker hoped i would open… okay, let’s open it on a VM just to make sure:

extracting the file you get:

1
2
3

$ unzip somethingImportant.zip 
Archive:  somethingImportant.zip
  inflating: anHtmlFile.html

So the .zip-file has only one file, and it’s a .html-file.

Guessing the HTML contains some unsafe javascript code, I opened it on editor instead to see it’s content, and I see:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<!doctype html>
<html lang="en">
<head>
	<title>Y155</title>
	<style type="text/css">
	html, body{
		font-style: Tahoma, sans-serif;
	}
	.aopMsetisamile{
		font-style: Tahoma, sans-serif;
		font-size: 16px;
	}
	</style>
</head>
<body>
	<div style="margin: 50px;">
		<h3>File opening error</h3>
		<p>See file <b>ievrmluaEt.zip</b> in downloaded files</p>
		<p>Password: <b>K789</b></p>
        <script type="text/javascript">var mazeinqhsgm='bWFuLi4uIGxldCdzIHNheSBpdCdzIGEgZmlsZSwgaSdtIG5vdCBnb2luZyB0byBwdXQgdGhlIHdob2xlIGJhc2U2NCB0eHQgOi8=
        ...
        // the base64 is longer than this

so the file indeed contained some javascript code, but it seems obfuscated… But here is what i found interesting during the analysis of the malware with a friend of mine:

  • this in js: !![] means true, so the attacker used it for a while loop:
1
2
3
4
5
6
7
8

while(!![]){
    try{
        ...
        if(...) break;
    }catch(error){

    }
}
  • you can use a function without storing it into a variable if you just want to use it once:
1
2

(function(meme_template){console.log('hey sir can a get a '+meme_template+'?')})("BO'OH'O'WA'ER");
// output is: hey sir can a get a BO'OH'O'WA'ER?
  • you can rotate an array with just one line:
1
2
3

my_array = ['a', 'b', 'c', 'd']
my_array['push'](my_array['shift']())
// now my_array is: [ "b", "c", "d", "a" ]

That’s it, that was the things that i’ve found interesting from the attacker during his JS-obfuscation:

Anyhow, after the analysis with my friend, I’ve found that what this JS-does, is forcing a download of a file stored in the long b64 variable.

The downloaded file is another .zip-file, that contains an .iso-file, which at the end contained a kind of Trojan. (actually i got borred, because too much reverse engineering)

The most bizarre/interesting thing, is the date of reciving the mail coincided with the date of release of a video of John Hammond in which he explained how to force the download of a file in an HTML page.

Here is the video:

Thanks for reading!

computer science
storytime computer science reverse engineering linux
This post is licensed under CC BY 4.0 by the author.
Recently Updated