ARC Labs recently analyzed a phishing email used in a credential harvesting campaign that leveraged a lure notifying the target they received a voice message and needed to visit a link to access it.
Analysis of the payload revealed heavily obfuscated HTML data which executed JavaScript code embedded within an SVG image when the page is rendered on the target system. Within the SVG data, ARC Labs discovered encrypted data containing a second stage page prompting the target to enter their credentials to access the voice message.
Analysis of the JavaScript code revealed the second stage page data was encrypted across multiple different HTML classes and dynamically decrypted using CryptoJS, which enables the encryption and decryption of data within JavaScript. As is often the case with dynamically rendered encrypted data originating from phishing emails, the decryption key is recoverable through code analysis.
The following guide is an overview of the steps taken by ARC Labs to retrieve the encrypted content from within the embedded JavaScript code. A complete walkthrough of the payload analysis can be viewed on the Binary Defense YouTube channel.
ARC Labs identified a sample on the Internet that is structured similarly to the CryptoJS payload analyzed in this blog. If you’d like to follow on with the analysis please check out the sample located: https://www.virustotal.com/gui/file/9084f414c7d672aed527d13c1e27ad055965d50c0c5eeddebdcc648b000c9681. Binary Defense does not recommend that you run any analysis on an enterprise computer and should only be analyzed within a safe environment with the requisite protections to avoid any unknown infection.
The original HTML content sent to ARC Labs was encoded with Base64. Decoding the Base64 data revealed an SVG element tagged with “onload,” indicating to the browser that the content should be rendered automatically upon loading the page. Additionally, the SVG data was padded with the characters “\r\n,” which could have been a tactic to further obfuscate the payload, as some dynamic analysis tools may evaluate “\r\n” as a carriage return separating the payload into new lines, causing the page to fail to load.
At the end of the SVG data, the site implemented the decodeURIComponent and replace functions to pass the decoded URI data to the document function with all the “\r\n” string data removed, resulting in properly formatted HTML data with embedded JavaScript code.
While the JavaScript code was heavily obfuscated, ARC Labs identified a function named “_0x87d4” containing an array of common JavaScript commands. This is a common obfuscation technique to hinder human analysis by replacing commands within the code with references to elements within the array instead of calling the commands directly. For example, instead of writing “concat,” the code would instead call the function 0x87d4 passing a hexadecimal value corresponding to the desired command within the array.
Further within the JavaScript code, ARC Labs identified an obfuscated variable named “_0x3e21a6,” which was modified and saved into a variable named “mysrc”. Analysis of the data during runtime revealed that “_0x3e21a6” contained a ROT-13 encoded URL to load CryptoJS from a remote source.
When encrypted data is loaded upon rendering the page, the decryption key is often present within the code, meaning the data can be decrypted for further analysis.
ARC Labs analyzed the JavaScript during runtime and by setting breakpoints at every invocation of CryptoJS, was able to recover the decryption key and reveal the encrypted second-stage data containing the credential harvesting page, which would be loaded when the target clicked on the initial lure.
The encrypted data was stored across four base64 encoded HTML classes which were joined together in a specified sequence and then encrypted using a key generated from a hardcoded passphrase.
With the decryption key recovered, ARC Labs passed base64 encoded data in the correct order to a standard CryptoJS decryption command along with the key to reveal the second-stage URL stored within a variable named “finalURL”.
