Phishing Kit Collecting Victim's IP Address, (Sat, May 20th)

File:Decoder.PNG From Wikimedia Commons, the free media repository Decoder.PNG ‎(512 × 532 pixels, file size: 13 KB, MIME type: image/png) This work is ineligible for copyright and therefore in the public domain because it consists entirely of information that is common property and contains no original authorship. File usage on Commons There are no pages that use this file. Date/Time 12:48, 25 January 2008 User MOJO1985 Comment

While reviewing my last findings today, I found a phishing email that delivered a classic .shtml file called “PROFORMA INVOICE.shtml”. Right now, nothing special, emails like this one are widespread. When you open the file in a sandbox, it reveals a classic form:

The potential victim is asked to enter his/her M365 credentials to reveal the Excel sheet (the email address has been obfuscated). I had a quick look at the HTML code and found something interesting in the HTTP form:

This means that a variable called “ip” will be submitted to the form simultaneously with the credentials. While checking deeper, there was some obfuscated JavaScript code below in the code:

    const getip = async () => {
        const payl = await postData("", {}, "GET");
        document.getElementById("hIP").value = payl.ip;
        return payl.ip;
    async function postData(url = '', data = {}, method="POST") {
        const response = await fetch(url, {
            mode: 'cors', 
            cache: 'no-cache', 
            headers: {
                'Content-Type': 'application/json'
            body: (method.toLowerCase() === "post") ? JSON.stringify(data) : null
        return response.json(); // parses JSON response into native JavaScript objects

The line in red assigns the victim’s public IP address to hIP that will be exfiltrated with the credentials.

Note that this piece of JavaScript is a perfect example of how to contact an API and extract data from the JSON response!

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post