Breaking Apart a Phishing Attempt

in #technology6 years ago

Some time ago I received a suspicious email that claimed I was due in court for some legal obligation. Knowing that the American legal system doesn't contact you by email, I was curious. This was interesting, since the only kind of spam I ever received was for fake sunglasses or payday loans. What really caught my eye was the attachment, Court_Notification.zip. I pulled out an old laptop I use for this sort of thing and went to my local Starbucks.

Once verified that it was in fact a .zip, I opened it up. It contained one file: Court_Notification.doc.js. This was a huge relief, for two reasons. The first being that the malicious code was delivered overtly, making it a lot easier for me to focus on what was important. The second was that it was written in JavaScript, a language I was far more comfortable with than say, C++. Below you will find a Github Gist containing the unedited JavaScript. Please don't do anything stupid with it. This is for educational purposes only.

https://gist.github.com/ChrisGermano/ff651183be0ca1bf81cd7012ab89dd19

While the code looks pretty messy and repetitive, it got me thinking. Every function had pretty much the same structure, except one.

var __port__in = '';

function __viewer__desk__src__ca(_v_) {
    __port__in = __port__in + _v_;
};

Ultimately, this chunk of JavaScript is concatenating a string from a garbled mess of functions and hard-coded parameters. While I could, and should, have automated the process, I crawled through the code by hand. In the first four __viewer__desk__src__ca() calls, __port__in already contains eval. Now the end goal of the program was pretty clear. The final code evaluated to the following (and same as above, educational purposes only):

https://gist.github.com/ChrisGermano/3b25b82ce7ade6f9aed712fc7d08c5eb

So what's interesting about this? The three hardcoded URLs point to an American Muslim blog, a mask store, and a bookkeeping service owned by a property management group in Florida. From a brief investigation, the three sites have nothing in common in terms of content or ownership, so it's likely motivated by a technological vulnerability rather than a political or personal attack.

I went back to the original email and noticed the sender's address wasn't from a domain that had anything in common with the websites in the second script. calvin.farris@gavelar.com.br came from a Brazilian furniture store that, when navigated to, directs you to an admin login panel. If you don't log in, the website loads normally. There was also no mention of a Calvin Farris anywhere on the site or associated business pages.

At this point, I was pretty sure I knew what was going on, and I'm confident my hunch was correct: this is an attack on sites using outdated versions of Wordpress. While it may not be the most exciting conclusion, I found all of the sites in the script, as well as the likely compromised Gavelar, were using early Wordpress 3.x.

Do any Wordpress experts have more insight into the low-level functionality of the second script? Have you received a similar email? Comments and votes are greatly appreciated, and thanks for reading!