 |
Phinding the truth
Current mood:
 satisfied
A new phishing/smishing campaign hit the other day and I was excited to dig into the tech to find out what the threat actors were doing and how.
I didn't get the mobile analysis lab set up in time to see the actual page but I did manage to de-obfuscate their anti-analyst checks to see what they were utilising to prevent people like me from snooping on their tactics.
They used webGL to load a canvas and then request the hardware information from the browser using webGL's debugging kit. Kinda cheeky.They checked for video/audio hardware, screen size, colour depth, and if there was a touch screen.
The way I did this was to use the following cURL script to capture the page information:
curl "hxxps://apple-id[.]reactivate-ref[.]com" -A "Mozilla/5.0 (iPhone; CPU iPhone OS 16_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 Safari/604.1" -L > apple-phish-obfuscated.html
The URL has been defanged for safety, even though the campaign has been taken down.
At the bottom of the page, there is a de-obfuscation script that runs to make sure the page runs as intended. Pulling back the code-curtain, we can see what the initial page was doing. In order to do that, we have to make the page do the deobfuscation for us.
xtP.forEach(function miR(value) { sqZ += String.fromCharCode(parseInt(atob(value).replace(/\D/g,'')) - 32807763); } ); document.write(decodeURIComponent(escape(sqZ)));
In the above string, we see "document.write" which is going to render the changes in the browser before we get to see them. What we can do is change the local version of the page we have to say "console.log", open up the page and head to the console tab, to see the entire page beautifully deobfuscated for us.
This is what we see.
What's interesting is their usage of webGL_debug_renderer_info to read information about the device being used to perform the request to the server.
What is also interesting is how it handles you if you're unsuccessful in tricking the php. It sends you here:
This is a fake nginx default page. We never stop at the first sign of trouble. Always analyse further!
Taking a look at the page source, we see a curious link that the browser claims is a 0x0 pixel image. The only reason these are ever used (popular in emails) is to perform tracking.
Followed the link without the set of alphanumeric characters at the end, to understand what this service is and we are greeted with a curious website:
It's not entirely known as of the research I was able to perform, what the purpose was for this tracker being involved other than to potentially pull information to add to permanent block lists or perhaps for gatthering statistics for a futurer campaign. Interesting and warrants making an account and testing the site for the kind of information you can recieve from it and its accuracy.
Following this, the logical conclusion was to check the page out with either a legitimate phone or build a small lab environment in an attempt to trick the page. Android Studio came to mind but I wasn't able to get one set up in time before the campaign ended. Timing is imperative as these phishing campaigns don't tend to last long.
Information on the site was sent to the registrar and hosting service to hopefully help prevent further campaigns like this from going up and to follow proper disclosure.
This write up is only a fracture of the full one intended to be released on my github where more in-depth and technical analysis will be performed. A link will go up as a status here for those that are interested. ♥
|
