thumbnail

Let's Look At Malware I Got From Work

3 min read from infosec on 2018-07-07

Today we're going to be looking a malware I received from a phishing attempt on my work email. Although I have zero skills in malware analysis, this piece of malware is very simple and uninteresting so this shouldn't take very long.

image-alternative

Here's the email I received (with sensitive information censored). It's a wetransfer download link to a HTML file, so it's already incredibly suspicious because who would send a HTML file? Anyway, let's pop this bad boy into a virtual machine.

image-alternative

Fun fact: I forgot to create a snapshot before opening the file. Make sure to not do this. As you can see, the file is just a fake Office 356 login page. Which confuses me even more because you can see from the address bar that you aren't logging into Office so why would you put your details in? It also looks more like a Google login page rather than Outlook which is more confusing! Although I have heard that at least two people from my office have tried to use it, so what would I know. Getting back on track, let's go and look at the source code, thankfully it is only HTML and I don't have to do any real reverse engineering as we can just look at the source code in plaintext.

image-alternative

While most of the code is in minified JavaScript and I'm not bothered to go and un-minify it, we're just going to be looking at the stuff we can see immediately. The image above shows the HTML for the sign-in we saw earlier. validateForm() is just a function to validate the email address, nothing interesting there. But we can see that it sends a POST request to kombiservis.co, which would obviously be our attacker's domain.

image-alternative

Going further down there's this interesting piece of code. I have no idea what it does, probably because it interacts with the minified code. Based on how it sets iframeUri to https://accounts.youtube.com/accounts/CheckConnection, I'm going to go ahead and assume that it attempts to find if you're logged into YouTube and takes your credentials as the link is very similar to https://accounts.youtube.com/accounts/SetSID which is what Google uses to log you into YouTube when using other Google sites, such as Gmail.

image-alternative

The last piece we're going to look at is this simple keylogger, which puts the keys enter in the tab into the variable keys and sends it as a GET request parameter every 10 seconds to wq14u.com, which is a different domain to the one we saw earlier.

I've also heard from around the office that it sets up auto delete and reply rules on your email, which is probably something that's done when you enter your credentials into the form and POST them to the server.

All in all, a very simple piece of malware which I may come back to at some point to un-minify the JavaScript and see if does anything more interesting.