Malware Analysis Spotlight: Detecting & Analyzing a Chase Phishing Page

Aug 12th 2021

Introduction

In this Malware Analysis Spotlight, we will take a look at a phishing attempt targeting customers of the popular US-based bank Chase. We discovered the URL of the phishing page at the end of March 2021 and found several similar pages. The phishing page uses JQuery and Ajax to steal the credentials and credit card information. Figure 1 shows the phishing page on the left and the legitimate online presence on the right side. Compared to the legitimate Chase page (right), the phishing page is almost identical mirroring the same style, login form, color scheme, background image, and site footer.

View the VMRay Platform Report for the Chase Phishing Page

Phishing Page vs Original - Malware Analysis Spotlight

Figure 1: VMRay Analyzer – Appearance of the phishing page (left) and legitimate online presence (right).

Besides the URL, both pages appear overall very similar, and at first impression, the phishing page doesn’t arouse suspicion VMRay Analyzer successfully detects the phishing attempt and provides detailed information about the phishing page through the VMRay Threat Identifiers (VTIs).

Chase Phishing Page - VTI Matches

Figure 2: VMRay Analyzer – VTI matches of the phishing page.

The VTI matches reveal VMRay Analyzer recognizes the page masquerading itself as Chase (Figure 2) by detecting the use of the same favicon and page title as the legitimate Chase website. In addition to the masquerade, the matches note the page presents a login form while using HTTP, which doesn’t secure the data. Most online services that provide a login uses HTTPS to transmit sensitive data over a secure communication channel. Presenting a login form over HTTP is an indicator of a phishing attempt.

Independent of the protocol being HTTP or HTTPS, VMRay Analyzer scans and analyzes requests, corresponding responses, and downloaded resources. In this case, the matched YARA rule associates the phishing page with a phishing kit.

To further investigate the communication including accessed resources, we can take a look at the Behavior Tree.

Downloaded Javascript - Sent requests for MyBabyTwo

Figure 3: VMRay Analyzer – Behavior Tree – Downloaded JavaScript files (left) and sent requests for MyBabyTwo.js (right).

The Behavior Tree allows us to inspect the sequential behavior of the page during the analysis. In this case, it reveals the browser downloads five JavaScript files (Figure 3 – left). Given their filenames, four of them seem to be related to JQuery, while the filename of the last one, “MyBabyTwo.js”, is rather unconventional (Figure 3 – right).

By downloading the file from the VMRay Platform Report and opening it in an editor, we notice that the file is obfuscated. It utilizes functions that access elements in three arrays which contain page properties, keywords and variables among others. Instead of using those values directly, the script invokes the corresponding lookup function to resolve the value at runtime. This hides the real functionality of the script and makes a manual static analysis more challenging.

Excerpt of the obfuscated file MyBabyTwo.js.Figure 4: Excerpt of the obfuscated file MyBabyTwo.js.

Figure 4 shows an excerpt of the obfuscated file with the lookup function being highlighted. In order to understand the script during a manual static analysis, the lookup function calls need to be resolved and can then be replaced.

Excerpt of de-obfuscated script responsible for stealing login credentials (left) and validating the credit card number

Figure 5: Excerpt of de-obfuscated script responsible for stealing login credentials (left) and validating the credit card number (right).

Figure 5 shows two excerpts of the de-obfuscated script. The code snippet on the left side is responsible for stealing the initial login credentials inserted in the login form previously seen in Figure 1. It adds a new handler to the login form that sends a POST-request containing the credentials to the target “./XBALTI/send.php” on the same server. Besides the credential-stealing, the script uses the online service binlist[.]net to validate the inserted credit card number and ensure the credit card is associated with the Chase bank (Figure 5).

Conclusion

Despite the obfuscation of the script, VMRay Analyzer detects the masquerade as Chase bank and the phishing attempt successfully. It examines transferred data for suspicious or malicious content, allowing the detection of phishing kits. VMRay Analyzer helps to protect against phishing attacks while analysts benefit from offered capabilities during an investigation.

IOCs

hxxp://chase.th.patricepurnell.com
hxxp://chase.th.patricepurnell.com/img/alert.gif
hxxp://chase.th.patricepurnell.com/css/lostyle.css
hxxp://chase.th.patricepurnell.com/img/loading.gif
hxxp://chase.th.patricepurnell.com/img/congra.png
hxxp://chase.th.patricepurnell.com/js/jquery.CardValidator.js
hxxp://chase.th.patricepurnell.com/js/jquery.validate.min.js
hxxp://chase.th.patricepurnell.com/js/jquery.min.js
hxxp://chase.th.patricepurnell.com/js/MyBabyTwo.js
hxxp://chase.th.patricepurnell.com/img/desktopnight.jpeg
hxxp://chase.th.patricepurnell.com/img/emdef213.png
hxxp://chase.th.patricepurnell.com/img/logo.svg
hxxp://chase.th.patricepurnell.com/css/style.css
hxxp://chase.th.patricepurnell.com/fonts/opensans-regular.ttf
hxxp://chase.th.patricepurnell.com/img/lawla.png
hxxp://chase.th.patricepurnell.com/fonts/dcefont.woff
hxxp://chase.th.patricepurnell.com/img/cardsimg.png
hxxp://chase.th.patricepurnell.com/img/icon.ico