Recently, after the successful intrusion of linked-in network by attackers, phishers also started exploiting the trust of users by sending phishing emails with embedded malicious links. The linked-in is on bit roll nowadays by attackers but it is always good to analyze the phishing attack. Our team received the phished linked-in emails. Of-course if you are in malware analysis field you are always targeted one or the other way. It happens. Let's discuss the exploit in action in this phishing attack. The users receive following email as presented in the figure below:
The users who received this email are presented below:
The malicious links accompanied with this email are presented as:
On successfully loading of JS files, the webpage redirects to the target pointed by document.location call. The target URL is actually NGINX reverse proxy which communicates back with blacklisted IP serving malware. The attacker is almost using 3-4 hops to retrieve the malicious content. On detecting the hosts, we found that some of the links are now down or giving forbidden access. However, the targets can be accessed by querying directly with the IP address of the host and not the DNS. The exploit used during this campaign might vary with time but we encountered the script that triggered flash/adobe exploit that uses JavaScript heap spraying. The obfuscated script used in this case is bit complex but not a hard target to deobfuscate. The obfuscated script (redacted) looks like as presented below
There are several tricks you can use to deobfuscate it, one of the methodology is discussed in our previous blog post on JavaScript Obfuscation - http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html.
The deobfuscated script is available here - http://pastebin.com/yDjQRD0u. Some of the interesting code has been shown below, the rest you can scratch on the pastebin.
On successful, deobfuscation, we observed that1. The script is fingerprinting plugins, OS, User-agent and other information
2. The malicious domain is running BlackHole BEP.
3. We accessed certain set of files on the domain, one of which is shown below
So, the BlackHole is still on fire but attackers now using modular way of serving exploit. There are other interesting information that we found during analysis but not presenting here. If something more interesting comes up, we will update it here.
How to be secure?
1. Update plugins to the latest version.
2. Think twice before your click.
Be secure !
