Posts

Apple Phishing email leads to a fake Apple login page

Image
Today, I'm looking at a phishing email sent to my Hotmail account. At first glance, it looks pretty standard; set to "High Importance" and littered with exclamation points to create a sense of urgency, the Apple logo and a real Apple support link at the bottom for legitimacy, and an IP address to create a sense of technicality. However, there are a few giveaways:
Misspellings and bad grammar throughoutApple link and boilerplate text at the bottom are for Apple Australia, which is the wrong country for the intended targetIP address belongs to Comcast, which is not the ISP of the intended targetGeneric greeting (Dear Apple User!) rather than a personalized greetingThe iPhone image is loaded from an external source that a legitimate Apple email would not be using (Wikimedia) and has Indonesian (i.e. Malay) alt text (alt="Hasil gambar untuk iphone 6" src="hxxps://upload.wikimedia.org/wikipedia/commons/thumb/0/01/IPhone6_silver_frontface.png/150px-IPhone6_silver…

Domain siblings and contents of the second javascript file

Image
In my previous post, we saw that someone is apparently injecting Monero-harvesting code into what appear to be compromised websites. One method was to inject an invisible frame with a page that contained a script calling https://coin-hive.com/lib/coinhive.min.js, which is the Coinhive javascript Monero miner. Another method, present on the same page (presumably in case the browser used didn't support frames) was to directly call a javascript file from a different site. The contents of this javascript file is an array of numbers, followed by a loop.
This code extracts ASCII codes from the string of numbers, revealing obfuscated HTML.
The result calls the same Coinhive miner, but also another script that appears to create a bunch of ads. I'll run that on a victim machine and post the output later.

In the meantime, both methods used the same Coinhive script with the same unique site ID. This ID is to identify what account gets credited with the site owner's share of the crypt…

Javascript-based cryptocurrency mining script injection

Image
While looking closer at the Showtime embedded cryptocurrency miner mini-scandal, I wondered how many other pages had Coinhive embedded. After a quick Google search, I found several sites that seemed to have the crytocurrency mining code embedded, apparently without the page owners' knowledge, based on the content of the page. The code was embedded within an invisible iframe (a red flag) and the intermediate site that redirected to Coinhive has a history of malware activity. Interestingly, the frame was not always present, forcing a visit to Google's cache:

Presumably compromised site:


Injected frame:

recaptcha-in.pw source code, in its entirety:
We see the call to the Coinhive javascript file (coinhive.min.js). A quick search for the script shows expected results for cryptocurrency mining sites, but also a selection of possibly compromised sites:

enrollsa.com/locationseduedgepro.comnewmarketcomputerservices.com/slide-page/company/sugar-packed.comarifpuglia.itand many others... Th…

TorLocker

You know, all the online analysis I've seen of malware samples is very in-depth and quite good, but it's all assuming a level of expertise with application security and reverse engineering that I just don't have. I need something focused on network intrusion analysis, but usually that's just a subset of the RE. So, I've decided to start my own analyses, which I will store here for now. I'll start with an interesting series of events that led my analysts in the SOC (where I am shift supervisor) to write a number of tickets for malware remediation.

On 10/16/2014 15:52:35 PDT, our firewall showed some Tor traffic from internal hosts, so I filtered for that and found about a dozen internal hosts that were being flagged for it. The Palo Alto firewall was using its deep packing inspection capability to classify the traffic according to its Applipedia database. The most active host was sending traffic to 81.7.14.246, so I searched for that and found the Malwr sample l…
Testing out a new way to post to Twitter...via email. Twitter's website will be blocked in Afghanistan from government computers, and I won't have my cell phone.