Mandiant researchers recently identified “URL Schema Obfuscation” as an adversary technique that conceals the final URL destination by manipulating the URL schema during the distribution of various malware families.
The method has the potential to enhance the chances of a phishing attack being successful, as well as introduce errors in domain extraction within logging or security tools.
The reliance on server identification by network defense tools may lead to bypassing and gaps in visibility, impacting threat detection and understanding of malicious campaigns and infrastructure.
New URL Obfuscation Technique
An investigation by Mandiant revealed that SMOKELOADER employs various obfuscation techniques to obscure URL destinations, leading to the distribution of numerous malware variants, as highlighted in a tweet by @ankit_anubhav.
This tweet exemplifies the use of two simultaneous obfuscation techniques, demonstrated by the URL “hxxp://google.com@1157586937,” which leads to the unexpected outcome of a Rick Roll video.
Here below we have mentioned the two obfuscation techniques that are used:-
The usage of an “@” sign.
The usage of alternative hostname formats.
Attackers persistently employ URL Schema Obfuscation due to its effectiveness in evading security measures and increasing the chances of victim link engagement, often resulting in the download and execution of additional malware.
Various exploitation techniques, including the utilization of CVE-2017-0199 and CVE-2017-11882 vulnerabilities, have been observed in downloaded documents, leading to code execution on victims and employed by numerous commodity malware families like:-
LOKIBOT
MATIEX
FORMBOOK
AGENTTESLA
When a URL contains a username section before the “@” sign, the browser ignores it and directs the request to the server indicated after the “@” sign.
The URL analysis reveals that the “google.com” portion is interpreted as a username, highlighting its potential for manipulation in spear-phishing campaigns by substituting it with the target email address domain to enhance its effectiveness.
Representing a server IP address as an integer is an uncommon and more advanced level of obfuscation, as the typical dotted-quad IP address format is widely used to represent IPv4 addresses.
Converting the IP address 1.2.3.4 from its binary representation to a decimal number, it becomes 16909060, demonstrating the process of treating the binary representation as a single, large binary number and converting it to decimal.
During a VirusTotal Retrohunt in February 2023, a Microsoft Word document’s component file triggered a YARA rule, uncovering a multi-stage attack involving template injection, exploitation, and the deployment of AGENTTESLA malware that extracted data through an encrypted Telegram channel.
The document file “PO.docx,” initially detected on VirusTotal on February 6, 2023, employs a template injection technique that triggers upon opening, leading to a request for the subsequent malware stage, while further examination reveals the presence of the next stage within the webSettings.xml.rels file when decompressed.
The utilization of this specific regular expression in security, logging, or threat intelligence tools hampers their ability to detect and extract obfuscated URLs, resulting in the inability to identify this technique through network traffic analysis since browsers automatically translate the syntax to a valid destination before making the request.
To counter the exploitation of URL Schema Obfuscation for malware delivery through phishing links and template injection, defenders should prioritize the capability of their security tools and logging systems to detect, identify, and correctly parse relevant indicators, ensuring adherence to RFC standards.