This content originally appeared on DEV Community and was authored by a.infosecflavour
I recently came across a LinkedIn post about a typo squatting attack which transcended the well-known IDN homograph attacks (e.g: Latin, Greek, Cyrillic). The malicious actor was using the Japanese character ん.
Intrigued by the meaning of this, I made a research and discovered it translates into “yes” (that’s why title “ん, and?”, similar to Ariana Grande’s viral song “Yes, And?”).
It all starts with phishing
The victims receives a phishing email which seems to originate from Booking. In fact, the adversaries masqueraded (T1036) the legitimate company.
According to a data breach report issued by Verizon, phishing (T1566) is the 3rd technique to obtain initial access (TA0001), being involved in 17% of breaches.
Analyzing the e-mail, one can observe elements such as:
- general greeting (Dear Partner)
- the same greeting used in a sentence (Dear Partner, the level of guest service…)
- the same greeting formula is used again in a sentence (Dear Partner, kindly note that a buildup…)
- the message doesn’t sound natural
- sentence ending in both “.” and “:” (All unresolved complaints are available for review here)
- sentence lacking in punctuation mark (which should have been a “.” We suggest that you carefully review the documentation and suggested solutions provided)
- while at a first glance the link wouldn’t raise concerns, hovering over would reveal the URL is in fact hxxps[://]account[.]booking[.]comんdetailんrestric-access[.]www-account-booking[.]com/en/ (the punycode domain is account[.]booking[.]xn--comdetailrestric-access-ge5vga[.]www-account-booking[.]com)
One could be easily tricked due to various reasons:
- getting lured by the masquerade
- lack of attention
- tiredness
- lack of cyber-education
- accidental click
- eyesight issues
- panic
- unfriendly dimension of the device screen
Once the first stage is accomplished, the user is redirected to the following webpage:
Suspicious signs all the way
What does the redirection page have to do with the received e-mail? The message was about complaints and then an account takeover was identified? That’s how panic overtakes the critical thinking and the victim clicks on Terminate access!
After clicking on the button, the victim must complete a Captcha challenge. After selecting the correct photos, the user is prompted to perform the following steps:
- Open Run
- Press CTRL+ V
- Press Enter
Once these steps are performed, a PowerShell script gets executed.
Sandbox detonation
Note: The following information serves for educational purposes only!
I decided to detonate the malicious URL in tria.ge sandbox.
Given the page was already categorized as malicious (e.g: Radar Cloudflare, urlscan.io, VirusTotal) as it can be observed in the capture below,
there is a page warning the visitor that the website is a suspected phishing. This can be bypassed by resolving the challenge and clicking on Ignore & Proceed button (not solving the challenge would redirect the user to the page captured below which can also be encountered when analyzing the URL via urlscan.io)
Clicking on the Terminate access button translates into solving a captcha challenge. If user tries to interact with the link below the button, there is no visible redirect. Opening a separate tab would result into showing the same page.
Although the correct images are selected, the captcha is invalid, so the user must execute the following verification steps:
Once the steps are executed, a PowerShell process is spawned, alongside other malicious background processes which can be observed in the below screenshots:
All of a sudden, I was prompted with a Windows Installer dialogue for… Vaquero!
Other malicious processes: TurIndex.exe, BeaconFab.exe, PortalClien.exe, AdaptConductor.exe, NavigatorCobalt.exe. An exhaustive list can be extracted by investigating the malicious URL in a dedicated sandbox.
During the analysis, the malware took control over the behaviour, closing the Task Manager and getting stuck in a loop of selecting the files present on desktop and randomly selecting the properties option, thusmaking user interaction impossible to be performed (for example, trying to run Start)
Note that, the payload can be pasted in a Notepad (this is to be done during the faux verification steps described earlier), just like you would paste it in the run command. Make sure you do this quickly enough.
Tria.ge report conclusions
A full report can be generated by interacting with the malicious URL in the Tria.ge dedicated sandbox. The results contain the following, but are not limited to:
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Hijack loader detected
- Blocklisted process makes network requests
- Modified trusted root certificate store through registries
- Clipboard data
- Dropped EXE executed
- Dropped DLL loaded
Of course, you can run the URL in any other sandbox service, such as any.run, hybrid-analysis.com.
Beware of phishing
With that said, make sure you stay safe online.
- Install a paid antivirus.
- Pay attention to anything suspicious. Hover the links.
- If on the tablet/ phone, press and hold the links (don’t click!!).
- Make use of the critical thinking- was the e-mail expected? Why do I receive that?
- If you want to get in touch with a representative, do so through official means (do not contact the sources expressed in the message like phone numbers or e-mail addresses!).
- Report the e-mail as phishing.
This content originally appeared on DEV Community and was authored by a.infosecflavour