Tuesday, September 29, 2015

[Updated] Nurturing JavaScript Obfuscation and Fast Flux DNS - "Whats App Voicemail Spamming" for Russian Online Pharmacies!

Recently, we analyzed that spammers are doing "Whats App Fake Voicemail" spamming to trick end-users to visit online pharmacies' websites. There are high chances that malware can be downloaded on to the end-user systems visiting these spamming websites. However, during this analysis, we did not notice that behavior.

The trend of "Whats App Fake Voicemail" spamming messages is not new as we have been encountering these spamming activities for last few years. There are not significant changes in the methods of sending "Whats App Fake Voicemail" notification messages which are used to lure end-users to visit illegitimate domains. However  from security research perspective, the target is to understand how this spamming attack is carried at the backend.  Since the "Whats App" organization brand is treated as a bait, as a result of which, there are high chances that people will click the links in the notification emails. This spamming attack is targeted against broad set of users on the Internet in order to redirect them to the online pharmacies' outlets managed by Russian cyber actors. Check more on online pharmacies monetary model here : https://en.wikipedia.org/wiki/Online_pharmacy

Let's perform the analysis. The end-user receives the email notification for "Whats App Fake Voicemail" message as follows:

When end-user clicks the domain it is redirected to the malicious domain that serves following HTTP response headers as shown below. The landing web pages are hosted on Wordpress portal which looks like to be a compromised website. Let's take a close look on the HTTP response headers.

GET /wp-content/themes/eStore/epanel/page_templates/js/educating.php HTTP/1.1
Host pasarjagakarsa.com
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Connection keep-alive

(Status-Line) HTTP/1.1 404 Not Found
Server nginx
Date Tue, 29 Sep 2015 19:32:40 GMT
Content-Type text/html
Transfer-Encoding chunked
Connection keep-alive
Vary Accept-Encoding
X-Powered-By PHP/5.4.44
Content-Encoding gzip

If you see the highlighted part in the HTTP response headers, it shows "404 Not Found" error which generally means resource does not exist on the web server. Infact it is not true, the web server responded back with following content as a part of web page.

Before going further, check our earlier articles on JavaScript de-obfuscation

If you notice, the web page has an obfuscated JavaScript embedded in it. Let's extract the obfuscated JavaScript as shown below:

The obfuscated JS is not that complex and it can be de-obfuscated easily. On de-obfuscation it was observed that the user's browser was further redirected to the following domain: "hxxp://magicorganicmarket.ru" as shown below:

Due to misconfiguration on the landing domain:"hxxp://pasarjagakarsa.com/wp-content/themes/eStore/epanel/page_templates/js/educating.php" , the directory listing was obtained as follows:

Several other malicious links with obfuscated JavaScripts were obtained and presented as follows:

function celle() { cella=72; cellb=[191,177,182,172,183,191,118,188,183,184,118,180,183,171,169,188,177,183,182,118,176,186,173,174,133,111,176,188,188,184,130,119,119,182,169,188,189,186,169,180,176,173,186,170,187,183,189,188,180,173,188,118,186,189,111,131]; cellc=""; for(celld=0;celld<cellb.length;celld++) { cellc+=String.fromCharCode(cellb[celld]-cella); } return cellc; } setTimeout(celle(),1306);

Online Pharmacy Website after De-obfuscating JS Codehxxp://naturalherbsoutlet.ru/


function sicklee() { sicklea=42; sickleb=[161,147,152,142,153,161,88,158,153,154,88,150,153,141,139,158,147,153,152,88,146,156,143,144,103,81,146,158,158,154,100,89,89,145,143,152,143,156,147,141,139,147,142,141,153,151,154,139,152,163,88,156,159,81,101]; sicklec=""; for(sickled=0;sickled<sickleb.length;sickled++) { sicklec+=String.fromCharCode(sickleb[sickled]-sicklea); } return sicklec; } setTimeout(sicklee(),1276);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://genericaidcompany.ru/

function timee() { timea=58; timeb=[177,163,168,158,169,177,104,174,169,170,104,166,169,157,155,174,163,169,168,104,162,172,159,160,119,97,162,174,174,170,116,105,105,167,159,158,163,157,155,166,173,155,160,159,173,159,172,176,163,157,159,173,104,172,175,97,117]; timec=""; for(timed=0;timed<timeb.length;timed++) { timec+=String.fromCharCode(timeb[timed]-timea); } return timec; } setTimeout(timee(),1292);
Online Pharmacy Website after De-obfuscating JS Code: hxxp://medicalsafeservices.ru/


function risee() { risea=80; riseb=[199,185,190,180,191,199,126,196,191,192,126,188,191,179,177,196,185,191,190,126,184,194,181,182,141,119,184,196,196,192,138,127,127,192,181,194,182,181,179,196,184,181,194,178,195,199,181,178,189,177,194,196,126,194,197,119,139]; risec=""; for(rised=0;rised<riseb.length;rised++) { risec+=String.fromCharCode(riseb[rised]-risea); } return risec; } setTimeout(risee(),1314);
Online Pharmacy Website after De-obfuscating JS Codehxxp://perfectherbswebmart.ru/


function likede() { likeda=62; likedb=[181,167,172,162,173,181,108,178,173,174,108,170,173,161,159,178,167,173,172,108,166,176,163,164,123,101,166,178,178,174,120,109,109,173,172,170,167,172,163,176,163,171,163,162,183,180,159,170,179,163,108,176,179,101,121]; likedc=""; for(likedd=0;likedd<likedb.length;likedd++) { likedc+=String.fromCharCode(likedb[likedd]-likeda); } return likedc; } setTimeout(likede(),1296);
 Online Pharmacy Website after De-obfuscating JS Codehxxp://onlineremedyvalue.ru/

function politye() { politya=38; polityb=[157,143,148,138,149,157,84,154,149,150,84,146,149,137,135,154,143,149,148,84,142,152,139,140,99,77,142,154,154,150,96,85,85,148,135,154,155,152,135,146,150,143,146,146,147,135,146,146,84,152,155,77,97]; polityc=""; for(polityd=0;polityd<polityb.length;polityd++) { polityc+=String.fromCharCode(polityb[polityd]-politya); } return polityc; } setTimeout(politye(),1272);
 Online Pharmacy Website after De-obfuscating JS Codehxxp://naturalpillmall.ru/

function travellere() { travellera=56; travellerb=[175,161,166,156,167,175,102,172,167,168,102,164,167,155,153,172,161,167,166,102,160,170,157,158,117,95,160,172,172,168,114,103,103,160,157,170,154,153,164,160,167,172,168,173,170,155,160,153,171,157,102,170,173,95,115]; travellerc=""; for(travellerd=0;travellerd<travellerb.length;travellerd++) { travellerc+=String.fromCharCode(travellerb[travellerd]-travellera); } return travellerc; } setTimeout(travellere(),1290);
 Online Pharmacy Website after De-obfuscating JS Codehxxp://herbalhotpurchase.ru/


All the information and orders are actually handled by this primary outlet - hxxps://checkoutucxefvfq.fastcheckoutrx.com/

We performed tests at the network level to understand on how the name servers were configured and we found that DNS fluxing was used in this campaign. The Time-To-Live (TTL) field is set for 600 seconds and after the IP address of the domain changes. 

Here is an example:

perfectherbswebmart.ru. 600 IN A
perfectherbswebmart.ru. 600 IN A

Some analytical points for consideration:
  • Overall extensive ".ru" domains have been used in this spamming campaign.
  • One can conclude that automated spam-code generation tools have been used in this campaign to ease out the process of large scale infection
    • For example:- infecting PHP pages with JavaScript obfuscated code hosted on the compromised websites
  • The campaign looks like to be executed at an extensive level considering the artefacts.
    • Many similar instances of JavaScript obfuscation have been analyzed as presented above
    • A number of online pharmacy websites found after de-obfuscating the JavaScript:
      • hxxp://herbalhotpurchase.ru/
      • hxxp://naturalpillmall.ru/
      • hxxp://onlineremedyvalue.ru/
      • hxxp://perfectherbswebmart.ru/
      • hxxp://medicalsafeservices.ru/
      • hxxp://genericaidcompany.ru/
      • hxxp://naturalherbsoutlet.ru/
  • We believe that this is just the tip of the iceberg and there will be many more
We won't be surprised if the same tactics are used for drive-by download instead of spamming in particular.

Note: At the time of drafting this post, all the websites were active.

Stay Secure !