Hello, welcome to the Tuesday, June 11th, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Neptune, New Jersey.

Xavier today took a look at an interesting, obfuscated JavaScript that one of our readers submitted.

Interesting because in this particular case,

a phishing site included a data URL that essentially encoded an entire malicious

VERT document within the Base 64 stream following the data URL.

Data URLs are sort of interesting because they usually evade further detection and

automatic analysis by anti-maliter.

They're sort of treated just like harmless HTML code, but once the user clicks on the

particular link, the URL is decodedoded and the user is then being offered to

download the included malicious word document. And Prince Security site, my online security is bringing

us an interesting combination of DNS techniques that are being used in order

to create malicious or at least spammy web pages. The trick here is that once user visits

the HTML web page, JavaScript within the page is used to resolve certain text records, DNS text records,

that are then returning the actual content of the page.

So the page itself is static.

It just uses JavaScript in order to keep itself updated.

Now, this could, of course, just be accomplished by using JavaScript to use

methods like fetch or XMHP request in order to download HTML snippets from another website,

but that may be a little bit too obvious and too easy to spot. So instead, this attacker opted in for DNS.

Now, I'm not a JavaScript expert by any means, but I don't think JavaScript has a simple DNS

...