Threat Research

cyware: Analyzing CryptoJS Encrypted Phishing Attempt  | Binary Defense

Cyware

ARC Labs dissected a credential-harvesting phishing email that delivered a Base64-encoded SVG which executed heavily obfuscated JavaScript to dynamically decrypt a second-stage page with CryptoJS. By debugging runtime CryptoJS calls, analysts recovered the hardcoded decryption key and reconstructed the final credential-collection URL. #CryptoJS #BinaryDefense

Keypoints

  • The lure claimed the recipient had a voice message and required visiting a link (phishing via link).
  • The delivered payload was Base64-encoded HTML containing an SVG with an onload handler that executed embedded JavaScript.
  • The SVG payload included “rn” padding and was passed through decodeURIComponent and replace to produce the final HTML/JS for rendering.
  • JavaScript was heavily obfuscated using an array of common commands (function named “_0x87d4”) and contained an obfuscated variable “_0x3e21a6” holding a ROT-13 encoded URL to load CryptoJS.
  • Encrypted second-stage content was split across four base64-encoded HTML classes, joined in a specific order, and encrypted with a key derived from a hardcoded passphrase.
  • By instrumenting the page and setting breakpoints on CryptoJS invocations, ARC Labs recovered the decryption key and used a standard CryptoJS decryption call to reveal the finalURL variable containing the credential-harvesting page.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – Email lure directed targets to click a link to access a voice message. (‘used a lure notifying the target they received a voice message and needed to visit a link to access it.’)
  • [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious JavaScript was executed from an SVG on page render to build and run the second-stage payload. (‘executed JavaScript code embedded within an SVG image when the page is rendered on the target system.’)
  • [T1027] Obfuscated Files or Information – Attackers used heavy JavaScript obfuscation, command-array substitution, Base64 encoding, and padding to hide payloads. (‘JavaScript code was heavily obfuscated’)
  • [T1140] Deobfuscate/Decode Files or Information – The attack packaged encrypted/encoded content that required decoding/decryption at runtime (decodeURIComponent, replace, Base64 joins) to produce the active HTML/JS. (‘decodeURIComponent and replace functions to pass the decoded URI data … resulting in properly formatted HTML data’)
  • [T1536] Credentials from Web Forms (mapped to Phishing/Exfiltration) – The loaded second-stage page collected user credentials via a rendered form after decryption. (‘encrypted data containing a second stage page prompting the target to enter their credentials’)

Indicators of Compromise

  • [Base64-encoded HTML payload] Delivered in phishing email – Base64 SVG content that decodes to an onload SVG with embedded JS (Base64 HTML data).
  • [Obfuscated variables] In-script identifiers – _0x87d4 (command array), _0x3e21a6 (ROT-13 encoded CryptoJS URL) used to hide functionality.
  • [Encrypted fragments] Second-stage split across HTML classes – four base64-encoded HTML classes joined and decrypted to reveal the payload (stored across four base64 encoded HTML classes).
  • [Decrypted final URL] Runtime artifact – decrypted variable finalURL containing the second-stage credential-harvesting page (variable named “finalURL”).
  • [Source / analysis reference] Research write-up – https://www.binarydefense.com/resources/blog/analyzing-cryptojs-encrypted-phishing-attempt/

Technical procedure (condensed): The payload arrived as Base64-encoded HTML; decoding revealed an SVG with an onload handler that executed embedded JavaScript. The SVG included deliberate “rn” padding; the script used decodeURIComponent and replace to strip padding and inject the resulting HTML/JS into the document. The JavaScript employed standard obfuscation patterns — a command array function (_0x87d4) and other mangled identifiers — and contained an obfuscated variable (_0x3e21a6) storing a ROT-13 encoded URL used to load the CryptoJS library at runtime.

ARC Labs ran the page in a debugger to observe runtime behavior. They identified where CryptoJS was invoked and set breakpoints at each call; because the decryption key and the encrypted payload are both present in the executing script, pausing at CryptoJS invocations allowed extraction of the key. The encrypted second-stage HTML was assembled from four base64-encoded class fragments, joined in the correct order, then passed to a standard CryptoJS decryption call using the recovered key.

With the key and correctly ordered base64 fragments, decrypting via CryptoJS produced the second-stage content and exposed the finalURL variable pointing to the credential-harvesting page. The procedure highlights common phishing obfuscation tactics (Base64, padding, command arrays, ROT-13 for loader URLs) and demonstrates that runtime inspection of CryptoJS calls is an effective method to recover embedded decryption keys and reconstruct hidden payloads.

Read more: https://www.binarydefense.com/resources/blog/analyzing-cryptojs-encrypted-phishing-attempt/