|
| 1 | +--- |
| 2 | +title: Malware Analysis on a real-world attack. |
| 3 | +description: In-depth malware analysis on a entreprise phishing attack. |
| 4 | +slug: malware-analysis |
| 5 | +date: 2025-02-11 00:00:00+0000 |
| 6 | +weight: 1 |
| 7 | +tags: |
| 8 | +- malware |
| 9 | +- phishing |
| 10 | +- reverse-engineering |
| 11 | +--- |
| 12 | + |
| 13 | +# The Why, the When, and the How |
| 14 | + |
| 15 | +The company I was working with at the time of writing suffered an email phishing attack that targeted the entire Active Directory email database. I was tasked with finding out who launched the attack and how they pulled it off. |
| 16 | + |
| 17 | +The phishing email itself was simple: a generic lure pointing toward a `pages.dev` domain (Cloudflare Pages). To get a better look at what was happening without compromising my own machine, I popped open a Thug docker instance to see if I could extract more information on the exploit or payload the attacker was trying to serve. |
| 18 | + |
| 19 | +Turns out, the first stage of the payload looked like this: a simple fake CAPTCHA inviting the user to verify themselves as human. |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +## Deobfuscating the Layers |
| 24 | + |
| 25 | +Behind the scenes, this landing page actually loads two different JavaScript files. Upon inspection, the first sample of code renders a fake "cleaning service" webpage as a front cover, likely to make the domain look legitimate to automated scanners or curious eyes. |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +After running a quick base64 deobfuscation on the script, the actual content renders up as "Sparkle Clean": |
| 30 | + |
| 31 | + |
| 32 | + |
| 33 | +A bit below these lines, we hit the interesting piece of code: the second stage of the attack. The `botchain.985ymj` url, which returns a simple `1` or `0` boolean as a heartbeat. This is a classic evasion technique, checking if the C2 is alive or, more likely, filtering out bot traffic before serving the real payload. |
| 34 | + |
| 35 | + |
| 36 | + |
| 37 | +And guess what? After deobfuscating the logic a bit below that heartbeat, it renders a very nice cloned 1-1 Microsoft login page. |
| 38 | + |
| 39 | + |
| 40 | + |
| 41 | +## The Payload |
| 42 | + |
| 43 | +We finally arrive at the core of the attack. In this fake Microsoft login page, the actual payload gets loaded via yet another JavaScript snippet. |
| 44 | + |
| 45 | + |
| 46 | + |
| 47 | +Once again, after stripping away the obfuscation and revealing the final payload, the script inadvertently leaked its own C2 (Command and Control) URL. The payload itself was humongous, weighing in at a staggering 3,800 lines of code. |
| 48 | + |
| 49 | + |
| 50 | + |
| 51 | +## Defensive Evasion |
| 52 | + |
| 53 | +One of the most notable features of this attack was the aggressive usage of anti-analysis code. The attackers didn't just want to steal credentials; they wanted to prevent researchers from poking around. |
| 54 | + |
| 55 | + |
| 56 | + |
| 57 | +The script employed several "noisy" but effective techniques to kill the session if it detected a researcher: |
| 58 | +1. **Automation Detection:** It checks for `navigator.webdriver`, `PhantomJS`, or user agents containing "Burp" (referencing Burp Suite). If found, it nukes the session and redirects to `about:blank`. |
| 59 | +2. **Debugger Trap:** It runs a tight loop with a `debugger;` statement and measures execution time. If the time difference spikes (meaning a developer has the console open and the code paused), it redirects the user to a random legitimate site (MercadoLibre) as a diversion. |
| 60 | +3. **Input Hijacking:** It disables right-clicking and hijacks the clipboard to prevent copying the source code. |
| 61 | + |
| 62 | +## Conclusion |
| 63 | + |
| 64 | +This was a classic example of a multi-stage credential harvester hiding behind legitimate infrastructure (`pages.dev`) and multiple layers of obfuscation. By peeling back the base64 layers I was able to identify the C2 and block the threat actor effectively. |
0 commit comments