Recently, several seemingly suspicious emails were brought to the attention of 401TRG. While phishing campaigns are relatively common, this one had a few interesting features. I decided to investigate this campaign further, and found that the attacker(s) had left most of their php code in a publicly accessible directory on their phishing page. Armed with this code, I thought I would take the opportunity to share some insight about how this particular campaign was run, and some common phishing tactics it used.
This campaign used crafted phishing emails, often using stolen information to impersonate someone who was known to the target in a professional capacity. The emails contained an attached PDF, which I initially suspected was weaponized, but in fact only contained a single link, which claimed it was to download another PDF (perhaps the attackers were counting on the victim to not question why they’d downloaded a PDF only to download another one!).
Figure 1: Attached PDF
The link in the PDF points to x.co, a GoDaddy owned URL shortener, which redirects the victim to praznik[.]mx/ttttttttttttt/newdoc/[md5 sum of random characters], a domain likely owned by the attackers, which hosts a OneDrive lookalike page.
Figure 2: Phishing Landing
The page offers a number of different services with which to authenticate. Once a user has selected a service (in this example, Gmail), they are brought to a relatively unconvincing copy of that service’s login page, where they can enter credentials to be sent via an HTTP POST request to the attacker’s server.
Figure 3: Gmail login page
Things started to get interesting when I navigated to the root phishing directory (praznik[.]mx/ttttttttttttt/). Publicly accessible in this directory was a ZIP archive, called scopiondrive.zip, which contained what appears to be the entirety of the backend code for the phishing page. This is a common sign of a phishing kit, as Jordan Wright of Duo Labs explains. Access to the source code of the site allows us to gain insight into the attacker’s technical skills and tactics.
Figure 4: index.php
The first file, index.php, creates a random path under praznik[.]mx/ttttttttttttt/newdoc and copies all the files in the “page” folder (everything except index.php) into it. When a user navigates to this page when initially loading the site, it generates a unique subdirectory for their particular session with all the necessary files for the phish. index.php also includes blocker.php, which displays a 404 Not Found error if someone attempts to access it from certain machines.
Figure 5: Blocker.php
As you can see, the attackers were particularly concerned about being visited by machines associated with 11 specific organizations (see above), presumably to prevent their page from being discovered by researchers (their attempt to block Tor exit nodes was unsuccessful). They also block a number of IP ranges, including some belonging to Google and Amazon, and check User-Agents to prevent web crawlers from discovering their page. The .htaccess file that they uploaded to the compromised server blocks additional cybersecurity organizations and web crawlers.
setenvifnocase Referer castlecops.com spammer=yes
setenvifnocase Referer internetidentity.com spammer=yes
setenvifnocase Referer phishfighting.com spammer=yes
setenvifnocase Referer phishtank.com spammer=yes
setenvifnocase Referer spamcop.net spammer=yes
setenvifnocase Referer spam spammer=yes
setenvifnocase Referer phish spammer=yes
setenvifnocase Referer bezeqint.net spammer=yes
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=spammer
Deny from google.com
Deny from Google Chrome
Deny from Chrome
Deny from Kaspersky
Deny from Avira
Deny from yahoo.com
Deny from search.com
Deny from bing.com
Deny from lloyds
Deny from PayPal
Deny from .co.uk
Deny from .gov.uk
Deny from bezeqint.net
Deny from barak-online.net
Deny from internetidentity.com
Deny from phish-inspector.com
Deny from netcraft.com
Deny from spamcop.net
Deny from veritas.com
Deny from .edu
Deny from crawl
Deny from verisign-dbms.com
Deny from verisign.com
Deny from phishingsite-collector
Deny from netcraft.com
Deny from net.il
Deny from com.il
Deny from co.il
Deny from org.il
Deny from googlebot.com
Deny from mcafee
Deny from spam
Deny from phish
Deny from 66.249.71.179
Deny from 124.176.210.234
Deny from 125.18.56.109
Deny from 128.232.110.18
Deny from 137.108.145.10
Deny from 137.110.222.77
Deny from 138.26.64.54
Deny from 202.73.
Deny from 202.75.
Deny from 209.147.
Deny from 209.59.
Deny from 64.127.
Deny from 65.110.
Deny from 66.135.
Deny from 66.16.
Deny from 66.179.
Deny from 66.194.6.
Deny from 80.178.
Deny from 79.182.
Deny from 87.69.
Deny from 87.70.
</Limit>
Figure 6: .htaccess File
Once a user has entered credentials on one of the various phishing pages (the code of which is relatively uninteresting and isn’t reproduced here), they are sent to one of 6 very similar PHP scripts to be transmitted to the attacker’s email address. All of the scripts include a file, validate_form.js, which contains only a single uncommented line, a base64 encoded PHP command, despite the file extension.
Figure 7: validateform.js
Decoded, the line is as follows:
Figure 8: Base64 Command Decoded
After the code is executed, ‘recipent’ [sic] has a value of “resultsnipper[@]gmail.com.” Harvested credentials are sent to both this address and resultspecial02[@]gmail.com, which is defined in the mail script and stored in another variable called ‘recipient’ (note the correct spelling).
Figure 9: One of the Server-Side PHP Scripts
Even a relatively simple phishing campaign like this one can provide valuable insights into attacker thought process and tools. This campaign reinforces the importance of anonymizing your IP address and User-Agent in investigations, since attackers do specifically block IPs or hostnames that could belong to security researchers or organizations that pose a risk to the phishing campaign’s success.
If any other analysts have encountered this campaign in the wild, please reach out to us by email or on Twitter!
Special thanks to @switchingtoguns for guidance and for developing the following sig.
Suricata IDS Signature:
- alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive”; flow:to_server, established; content:“POST”; http_method; content:“.php”; http_uri; isdataat:!1,relative; content:“pasuma”; nocase; http_client_body; depth:100; fast_pattern; content:“name”; nocase; http_client_body; sid:9500032; rev:1;)
Correction: November 22, 2017
An earlier version of this post incorrectly stated that the variable 'recipent' [sic] was never used in the mail script. It was in fact used as a secondary recipient of the credential harvesting emails.