Good day everyone, it was viral and notice that my Facebook friends start sending New Years greeting using a web application and everyone get hook on the app since it was fun to generate your own greetings.

but if you’re a regular user you will not notice what is happening on the background while enjoying your greetings.

Landing Page of Web Application

Once you click the bell, the door/window will open and your message greeting will display.

on the image above, you will see the message sent by your friend. as you notice there is a textbox under (yellow box). upon checking it, it also vulnerable to “Reflected Cross Site Scripting” which can pose a threat to a user who will try to click the link.

attack can steal session cookie or install malicious script to your browser/device. here’s the proof of XSS Vulnerability.

i didn’t go further on web application vulnerabilities, but i want to know the real campaign of this web application. there is still question in my end since CSP-CERT shared this information with a limited information. But CSP-CERT did a good job for this since the consumers are non-technical.

upon checking on the link shared in facebook i saw this screenshot of the ip address flag was a cloudflare IP Address.

Malicious IP Address Detection

Most of the time, WAF can generate false positive information to trick any attacker on the web application that there is a vulnerabilities or threat. my second option is to check if the Web Application Firewall (WAF) is properly configured. i run dnsenum on my VM machine to check if i can reveal the real IP Address of the domain.

So there you go, we reveal the real ip address of the website compare to CloudFlare IP Address

Screenshot for CloudFlare IP Address validation

by checking on the IP Address used by wish-you.co from 104.31.92.16 both IP Address are clear in security threats.

for 104.31.92.16

Clean IP Address with no Threats Identified

for 104.31.93.16

Clean IP Address with no Threats Identified

But upon checking on the related CloudFlare IP Address we came up with the following result.

CloudFlare IP Address

For karl.ns.cloudflare.com with the ip address 173.245.59.190 here’s the analysis on the IP Address related. for your reference and if you like to replicate this article: https://www.threatcrowd.org/ip.php?ip=173.245.59.190

Karl.ns domain

I was surprise that the cloudflare ip address is associated with malicious MD5 hashes, to verify we can navigate in one of the MD5 hash to check the result. right click in one of the MD5 hashes and choose pivot

after you click the link, try to check the result if its related to any malicious files or domain. in my case i follow the MD5 Has value:

B9C469C165BA96F9728EAFE44845B4F1B69481ACABA95DC7D6F6782F1845AE7D/ANALYSIS/1443776975/

it will redirects me to a virus total web application and the result.

Virus Total Result

The grace.ns.cloudflare.com with ip address of 173.245.58.159 has no indication of malicious files same as 104.31.92.16, 104.31.93.16 . which means that karl.ns.cloudflare.com with the ip address of 173.245.59.190 is the only ip address related to a malicious Domain and files.

Related Files, Scripts, Software and Domains

we can relate this campaign with the following article here https://blog.usejournal.com/threat-actor-behind-astaroth-is-now-using-cloudflare-workers-to-bypass-your-security-solutions-2c658d08f4c

basically, the web application is not malicious at all, but the CloudFlare IP Address is malicious and related to a campaign. any web application domain, ip address, servers that is related to any malicious files. we need to take extra pre-cautions to avoid being infected. upon visiting the web application make sure do the following recommendation provided by CSP-CERT

This is just a simple analysis to prove that the web application (wish-you.co) is not clearly related to any malicious campaign. this is specific only on the malicious CloudFlare IP Address. this need to have a deep analysis and to support the CSP-CERT advisory.

you may also check the article of https://ctulhu.me/2019/12/30/analysis-of-wish-you-co/?fbclid=IwAR2-kZtzw5eCKrFKUK_SnbvqRAD2yZa-GEJIk_o04Dim9iLiYaXuZioUjqA for reference.

kudos to Rodel Plasabas for the information and CSP-CERT.

“Cyber Security is a shared responsibility”

thank you and happy holidays

Taho Vendor, Regular Taho and Strawberry Taho Flavor Available, Visiting Professor @ Saint Paul University Tuguegarao