[Storm-1575] Another Day Another O365 Phishing Email Analysis

on


It looks like this campaign is still going even after I got multiple providers to block their old backend server for posting results blackmooncoo.ru after analyzing the email outline here


They have definitely changed up their code a bit. I was feeling lazy so rather than reverse engineering it I just proxied the connection through Burpsuite to gather what I could.


Above is the original email, as you can see like some of the others not very sophisticated. Just hey here's an html file. When you open the html file it brings you through a nice little animation of an outlook folder opening and closing until the login page loads.

Here's the source code. If you want to block these, I recommend a mailflow rule that looks for html attachments that contain " atob " (note the space before and after to avoid accidentally blocking files with words that contain those characters. Also block html files that contain the string "atob(" that should get rid of most of these.


I did look at the code briefly, as you can see above and below it contains a function which decodes a base64 encoded string. Below is the decoded string. This contains further obfuscation and is the part of the code they changed since this past weekend.


Again the function above contains some base64 encoded string and below you can find that it contains the parameters required to decrypt their POST domain... but why decode it when you can just MiTM it?



I also noted that throughout the html page there are references directly to Microsoft's images to make this look as close as possible to their login screen and evade detection.



Here is a request that shows one of the relevant malicious domains for this attack


xrmbpliazfkzrtrcrhqq.cloudhostbuilder.com

You can see that "zealousy":"garderobe" is passed through here; this was located in the source code of the page. I assume this is passed as a way of authenticating that you are coming from a valid phishing location that they have not blacklisted.

And when we submit a password here is the location sends the credentials to makeveli.cloudhostbuilder.com.



At the time of performing these steps the IPs were also captured


172.67.222.9

Yet again hiding behind Cloudflare's servers to evade detection.


So, with that cloudhostbuilder.com makes it into our blocklist!

Comments

Post a Comment