Email
YouTube
Twitter
Reddit
DETAILS
Today our malware comes to us via spam. This particular spam message states we have a recent purchase through Apple and we should review the attached receipt. The "receipt" is a Microsoft PowerPoint document.
We begin by analyzing the PPTX by changing its extension to ZIP. This is because modern Microsoft Office documents are actually ZIP archives that contain many formatting files.
In our case, we come upon a file named slide1.xml.resl and it contains two distinct URLs that have been shortened using Twitters URL shortening service (t.co):
Other than these two strange links, no other metadata stands out as being suspicious. When we open the PowerPoint to inspect our "receipt" we are given the following slide:
The invoice claims we have purchased something from Apple and to click the link at the bottom to cancel the order. The hyperlink is attributed to one of the Twitter Shortened URLs from earlier.
Opening the URLs in a web-browser reveals another level of shortening via the bit.ly service before finally redirecting to the Phishing site.
The site is quite convincing; proper English, fonts, design. A+ for effort. Inspecting the page reveals something even more deserving of an A+:
Nearly the entire bulk of the page is contained within a single variable that has been AES encrypted. The page decrypts itself on the fly as the page loads via the Aes.Ctr.decrypt function. This is very cool as it defeats many online signature scanning services.
Education of users is one of the weakest links in cyber security and the user protection mechanisms for this type of attack should focus more on emails and downloads. However, the AES obfuscation this site employs isn't for hiding the code from users. It is for avoiding automated reputation crawlers and site security systems that scan webpages for suspicious content and alert providers when questionable activities are taking place. By using this AES encryption technique the site is able to remain hidden for a little longer without detection by these systems. There are NUMEROUS techniques to obfuscate web-pages with javascript and other methods. I have seen a ton of these techniques, but this just happens to be one that I have not seen before.
Instead of manually decrypting the giant blob of data by hand, we can simply open Google Chrome's Developer tools and output the value of the variable "output" via the javascript console. We can then retrieve the decrypted data:
You may also choose to download the entire site by saving the complete webpage in order to inspect all of the dependency files:
With the AES coolness aside, we continue back to the Phishing portion of this threat. The main page asks us to login with our AppleID (the ID is not checked) and then tells us that our account is locked:
When we press UNLOCK ACCOUNT we are directed to a slew of personal questions which will no doubt be recorded by the author (the next page collects financial details):
