Spam Mails
Spams were received which had Google and LinkedIn icons and pretended to be notification message. We analysed three separate spam messages, one was received on each day betwwen 8th and 10th February, 2016.
Two of these spams were masquerading as from being Google and the third one masquerading to be from LinkedIn.
Redirection via Compromised Site
The spams contained links to PHP files on compromised web sites.
E.g.
arteconomist[.]com/greenberg[.]php
egram[.]info/gets[.]php
As the Fiddler captures show below, both of the above URLs return HTTP 404 but contains quite a lot of random words.
And the very of the 404 pages returned, is a JavaScript which is constructing the URL of the final landing page.
Below is a screenshot of the Fiddler capture from the second sample.
JavaScript URL constructor: Sample #1
The JavaScript found in the first 404 page (arteconomics) was as shown below:
<script type=”text/javascript”>
function walkinge()
{
walkinga = 21;
walkingb = [140,126,131,121,132,140,67,137,132,133,67,129,132,120,118,
137,126,132,131,67,125,135,122,123,82,60,125,137,137,133,79,
68,68,131,118,137,138,135,118,129,133,126,129,129,130,118,129,
129,67,135,138,60,80];
walkingc=””;
for(walkingd=0;walkingd<walkingb.length;walkingd++)
{
walkingc+=String.fromCharCode(walkingb[walkingd]-walkinga);
}
return walkingc;
}
setTimeout(walkinge(),1255);
</script>
The first JavaScript explained
The Javascript above contains an array of integers:
140-126-131-121-132-140-67-137-132-133-67-129-132-120-118-137-126-132-131-67-125-135-122-123-82-60-125-137-137-133-79-68-68-131-118-137-138-135-118-129-133-126-129-129-130-118-129-129-67-135-138-60-80
And looking at the simple for() loop in the JavaScript, we can see that the script is simply subtracting decimal 21 from each interger value in the array.
After performing the same subtraction manually (Ok, actually a little Reg-Ex and then Excel), we find that the resultant array becomes:
119-105-110-100-111-119-46-116-111-112-46-108-111-99-97-116-105-111-110-46-104-114-101-102-61-39-104-116-116-112-58-47-47-110-97-116-117-114-97-108-112-105-108-108-109-97-108-108-46-114-117-39-59
Now we can already see that this array contains ASCII values, so a manual lookup on to the ASCII table we find that the above array is actually:
window.top.location.href=’http://naturalpillmall . ru’;
(whitespace added to deactivate the link)
JavaScript URL constructor: Sample #2
The JavaScript found in the the 404 page (egrams) was as shown below:
<script type=”text/javascript”>
function hurrye()
{
hurrya=91;
hurryb= [210,196,201,191,202,210,137,207,202,203,137,199,202,
190,188,207,196,202,201,137,195,205,192,193,
152,130,195,207,207,203,149,138,138,201,188,
207,208,205,188,199,203,196,199,199,200,188,
199,199,137,205,208,130,150];
hurryc=””;
for(hurryd=0;hurryd<hurryb.length;hurryd++)
{
hurryc+=String.fromCharCode(hurryb[hurryd]-hurrya); }
return hurryc;
}
setTimeout(hurrye(),1325);
</script>
The second JavaScript explained
The Javascript above contains the following array of integers:
210-196-201-191-202-210-137-207-202-203-137-199-202-190-188-207-196-202-201-137-195-205-192-193–152-130-195-207-207-203-149-138-138-201-188–207-208-205-188-199-203-196-199-199-200-188-199-199-137-205-208-130-150
And looking at the for() loop in the script, we can see that the script is simply subtracting decimal 91 from each interger value in the array.
After performing the same subtraction manually, we find that the resultant array becomes:
119-105-110-100-111-119-46-116-111-112-46-108-111-99-97-116-105-111-110-46-104-114-101-102-61-39-104-116-116-112-58-47-47-110-97-116-117-114-97-108-112-105-108-108-109-97-108-108-46-114-117-39-59
So we find that the above array is actually the same as in the first JavaScript:
window.top.location.href=’http://naturalpillmall . ru’;
(whitespace added to deactivate the link)
The third sample
The third sample was constructed very much the same way,except foe the fact the final landing page URL was a different one:
h–t://onlinenaturalassist[.]ru
Final Landing Pages
The final landing pages were:
h–p://onlinenaturalassist[.]ru
h–p://naturalpillmall[.]ru
When we visited both of these URLs, they both have exactly the same content and look. Both are newly registered domains (see WHOIS screenshot below) and both are selling (fake) Viagra and Cialis etc.