Wednesday, June 13, 2012

LinkedIn Phishing Attack - Dissecting Attack and Used Exploit

Recently, after the successful intrusion of linked-in network by attackers, phishers also started exploiting the trust of users by sending phishing emails with embedded malicious links. The linked-in is on bit roll nowadays by attackers but it is always good to analyze the phishing attack. Our team received the phished linked-in emails. Of-course if you are in malware analysis field you are always targeted one or the other way. It happens. Let's discuss the exploit in action in this phishing attack. The users receive following email as presented in the figure below:


The users who received this email are presented below:


The malicious links accompanied with this email are presented as:

The phished email is embedded with more than 2 malicious links.The index.html retrieves 2 JS files from two different domains as presented below


 
On successfully loading of JS files, the webpage redirects to the target pointed by document.location call. The target URL is actually NGINX reverse proxy which communicates back with blacklisted IP serving malware. The attacker is almost using 3-4 hops to retrieve the malicious content. On detecting the hosts, we found that some of the links are now down or giving forbidden access. However, the targets can be accessed by querying directly with the IP address of the host and not the DNS. The exploit used during this campaign might vary with time but we encountered the script that triggered flash/adobe exploit that uses JavaScript heap spraying. The obfuscated script used in this case is bit complex but not a hard target to deobfuscate. The obfuscated script (redacted) looks like as presented below


The script is too big to paste here. So you can find it here - http://pastebin.com/MSpCtZH7
There are several tricks you can use to deobfuscate it, one of the methodology is discussed in our previous blog post on JavaScript Obfuscation -  http://secniche.blogspot.com/2012/04/javascript-obfuscation-manual-armor-1.html.

The deobfuscated script is available here - http://pastebin.com/yDjQRD0u. Some of the interesting code has been shown below, the rest you can scratch on the pastebin.

On successful, deobfuscation, we observed that

1. The script is fingerprinting plugins, OS, User-agent and other information
2. The malicious domain is running BlackHole BEP.
3. We accessed certain set of files on the domain, one of which is shown below


So, the BlackHole is still on fire but attackers now using modular way  of serving exploit. There are other interesting information that we found during analysis but not presenting here. If something more interesting comes up, we will update it here.

Hot to be secure?

1. Update plugins to the latest version.
2. Think twice before your click.

Be secure !