Recently, several seemingly suspicious emails were brought to the attention of 401TRG. While phishing campaigns are relatively common, this one had a few interesting features. I decided to investigate this campaign further, and found that the attacker(s) had left most of their php code in a publicly accessible directory on their phishing page. Armed with this code, I thought I would take the opportunity to share some insight about how this particular campaign was run, and some common phishing tactics it used.
This campaign used crafted phishing emails, often using stolen information to impersonate someone who was known to the target in a professional capacity. The emails contained an attached PDF, which I initially suspected was weaponized, but in fact only contained a single link, which claimed it was to download another PDF (perhaps the attackers were counting on the victim to not question why they’d downloaded a PDF only to download another one!).
Figure 1: Attached PDF
The link in the PDF points to x.co, a GoDaddy owned URL shortener, which redirects the victim to praznik[.]mx/ttttttttttttt/newdoc/[md5 sum of random characters], a domain likely owned by the attackers, which hosts a OneDrive lookalike page.
Figure 2: Phishing Landing
The page offers a number of different services with which to authenticate. Once a user has selected a service (in this example, Gmail), they are brought to a relatively unconvincing copy of that service’s login page, where they can enter credentials to be sent via an HTTP POST request to the attacker’s server.
Figure 3: Gmail login page
Things started to get interesting when I navigated to the root phishing directory (praznik[.]mx/ttttttttttttt/). Publicly accessible in this directory was a ZIP archive, called scopiondrive.zip, which contained what appears to be the entirety of the backend code for the phishing page. This is a common sign of a phishing kit, as Jordan Wright of Duo Labs explains. Access to the source code of the site allows us to gain insight into the attacker’s technical skills and tactics.
Figure 4: index.php
The first file, index.php, creates a random path under praznik[.]mx/ttttttttttttt/newdoc and copies all the files in the “page” folder (everything except index.php) into it. When a user navigates to this page when initially loading the site, it generates a unique subdirectory for their particular session with all the necessary files for the phish. index.php also includes blocker.php, which displays a 404 Not Found error if someone attempts to access it from certain machines.
Figure 5: Blocker.php
As you can see, the attackers were particularly concerned about being visited by machines associated with 11 specific organizations (see above), presumably to prevent their page from being discovered by researchers (their attempt to block Tor exit nodes was unsuccessful). They also block a number of IP ranges, including some belonging to Google and Amazon, and check User-Agents to prevent web crawlers from discovering their page. The .htaccess file that they uploaded to the compromised server blocks additional cybersecurity organizations and web crawlers.
setenvifnocase Referer castlecops.com spammer=yes setenvifnocase Referer internetidentity.com spammer=yes setenvifnocase Referer phishfighting.com spammer=yes setenvifnocase Referer phishtank.com spammer=yes setenvifnocase Referer spamcop.net spammer=yes setenvifnocase Referer spam spammer=yes setenvifnocase Referer phish spammer=yes setenvifnocase Referer bezeqint.net spammer=yes <Limit GET POST> Order Allow,Deny Allow from all Deny from env=spammer Deny from google.com Deny from Google Chrome Deny from Chrome Deny from Kaspersky Deny from Avira Deny from yahoo.com Deny from search.com Deny from bing.com Deny from lloyds Deny from PayPal Deny from .co.uk Deny from .gov.uk Deny from bezeqint.net Deny from barak-online.net Deny from internetidentity.com Deny from phish-inspector.com Deny from netcraft.com Deny from spamcop.net Deny from veritas.com Deny from .edu Deny from crawl Deny from verisign-dbms.com Deny from verisign.com Deny from phishingsite-collector Deny from netcraft.com Deny from net.il Deny from com.il Deny from co.il Deny from org.il Deny from googlebot.com Deny from mcafee Deny from spam Deny from phish Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 202.73. Deny from 202.75. Deny from 209.147. Deny from 209.59. Deny from 64.127. Deny from 65.110. Deny from 66.135. Deny from 66.16. Deny from 66.179. Deny from 66.194.6. Deny from 80.178. Deny from 79.182. Deny from 87.69. Deny from 87.70. </Limit>
Figure 6: .htaccess File
Once a user has entered credentials on one of the various phishing pages (the code of which is relatively uninteresting and isn’t reproduced here), they are sent to one of 6 very similar PHP scripts to be transmitted to the attacker’s email address. All of the scripts include a file, validate_form.js, which contains only a single uncommented line, a base64 encoded PHP command, despite the file extension.
Figure 7: validateform.js
Decoded, the line is as follows:
Figure 8: Base64 Command Decoded
After the code is executed, ‘recipent’ [sic] has a value of “resultsnipper[@]gmail.com.” Harvested credentials are sent to both this address and resultspecial02[@]gmail.com, which is defined in the mail script and stored in another variable called ‘recipient’ (note the correct spelling).
Figure 9: One of the Server-Side PHP Scripts
Even a relatively simple phishing campaign like this one can provide valuable insights into attacker thought process and tools. This campaign reinforces the importance of anonymizing your IP address and User-Agent in investigations, since attackers do specifically block IPs or hostnames that could belong to security researchers or organizations that pose a risk to the phishing campaign’s success.
If any other analysts have encountered this campaign in the wild, please reach out to us by email or on Twitter!
Special thanks to @switchingtoguns for guidance and for developing the following sig.
Suricata IDS Signature:
- alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive”; flow:to_server, established; content:“POST”; http_method; content:“.php”; http_uri; isdataat:!1,relative; content:“pasuma”; nocase; http_client_body; depth:100; fast_pattern; content:“name”; nocase; http_client_body; sid:9500032; rev:1;)
Correction: November 22, 2017
An earlier version of this post incorrectly stated that the variable 'recipent' [sic] was never used in the mail script. It was in fact used as a secondary recipient of the credential harvesting emails.