Considered as the backbone of UI web development, Javascript is primarily used for scripting and front-end programming. Sounds a bit harmless, right? However, javascript can also be exploited as a malicious tool to execute unwanted actions, unbeknownst to the victim. It can be used to download drive-by malware programs, phish the user, or even perform a complete takeover of the victim’s (vulnerable) web browser. Now, let’s get straight to business…
A company worker forwarded an email to me and requested a threat analysis for suspicious activity. The email was supposedly sent in a spear phishing attempt. There was a file attached that grabbed my attention; Project.html
I powered up my Windows 10 virtual machine for further analysis (the reason being Windows has an inbuilt javascript interpreter; CScript. CScript is used for command-line/terminal output, while WScript is used for GUI interpreter output). I downloaded the file on my virtual machine. Then, I renamed the .html to a .txt extension and opened it using a text editor.
A <script> tag proves this is some javascript code. The unescape() function replaces any escape-encoded sequence with the character it represents. I made a copy of the Project.txt file to avoid tampering with the original code and renamed the copy’s txt extension to .js. Then, I replaced the document.write function with a WScript.echo function. This is similar to the ‘print’ function, but for WScript/CScript. I powered up cmd and used this command:
cscript “Project2 -Copy.js”
At first, it didn’t work. But after clearing some unnecessary tags from the code, I began to see some proper output.
I redirected the output to a file ‘decode.txt’ using this command:
cscript “Project2 -Copy.js” > decode.txt
I took a look at this file and discovered the source code of a website.
I scrolled down the code and discovered a bunch of base64-encoded characters.
Out of curiosity, I fired up the second tool I would use for this analysis; CyberChef (I highly recommend btw). I put in the ‘from base64’ recipe and pasted the base64 input.
I scrolled down further in the code to reveal a form-submit field. This may definitely be a phishing page, but what does it steal and where does it submit?
It captures the email and password fields with a classic submit-btn. I discovered an eval() object at the bottom of the script with some char-encoded characters.
I copied the eval() object body, and put it in a new file ‘eval.js’. Then, I replaced the eval() function with a WScript.echo function and ran it on cmd.
cscript eval.js
I redirected this new output to a new file; evaldecode.txt and opened the file in a text editor.
Feeling a lil’ extra, I baked the remaining code in CyberChef’s javascript beautifier to get a good view. Found some JSON syntax, let’s look into that.
I found the website URL where this form submits the stolen credentials; [REDACTED].com/success/list.php
I tried traversing the path directory and I discovered… the server was vulnerable!
The server was a LiteSpeed web server. A quick look at the list.txt shows some highly sensitive information, that I CANNOT put on here.
Now that it’s confirmed to be a phishing site, (and not some malicious BeEF sandbox escape 0-day), I can take a visual look at the site. I renamed the original file back to .html extension and opened it on my VM browser.
I tested the form by inputting some fake details and submitted them. I checked [REDACTED].com/success/list.txt and the fake input was quickly added to the text file just like the other victims.
Looking at its parent directory [REDACTED].com, the site appears to be hosted on NameCheap with no index page. I tried looking for an email or any information that can be used to identify the webmaster.. but all efforts proved futile.
I gathered all the evidence of the threat analysis procedure and gave it to my client, along with the URL of the website and its related info. The client decided to report this site, and it was taken down in less than an hour. Any further sanctions were enforced at the discretion of the hosting company.
That’s how I was able to de-obfuscate some malicious javascript code and trace it back to the attacker’s server, along with the exposed stolen credentials.
Stay safe.
Stay dangerous.
See y’all next time when I remember my password.
