Phishing has been known as one of the leading initial attack vectors for a long time. Here at VMRay we are continuously monitoring phishing activities in order to keep our users protected from new and existing phishing threats. In the past few months, we discovered several new phishing campaigns which we analyzed in depth in order to strengthen our detection capabilities against them. In this blog post we’d like to highlight the most recent trends we observed and provide more details about their inner workings and infrastructure. The phishing kits which we will cover are:

• Phishing kit CarPhish
• Phishing kit EDG
• Phishing kit Tpass
• Phishing kit Mamba2FA

Phishing Kit CarPhish

View the VMRay Analysis Report

Overview

CarPhish is a phishing campaign which VMRay researchers first observed during summer with its peak being in August. When a victim visits the URL linked to this phishing kit, they are initially greeted with a Cloudflare warning about a potential phishing site. This occurs because the creators of the phishing page are utilizing Cloudflare infrastructure, such as R2 buckets, for hosting. While this warning helps to protect users, it also hinders automated analysis of the page, preventing the extraction of valuable indicators by requiring user interaction. VMRay platform can proceed past this type of warning pages using our Adaptive Browser Simulation (also known as AutoUI) feature. Once the page has been dismissed, we are presented with a fake Microsoft’s OAuth 2 login form which is used to collect credentials from the victims:

Technical Details

Looking at the source of this fake login page, we can notice some obfuscated JavaScript code:

One of the interesting points worth noting is the usage of “document.write()” function. This function can write content directly into the web page and is often used as a way to dynamically inject HTML or JavaScript. This obfuscation method does not hinder the analysis of the site on VMRay Platform as we are able to capture and analyze all the stages of the web page. Aside from the use of dynamic page rewriting, there are several other operations worth mentioning:

1. Decodes a Base64 encoded JSON document which contains AES decryption parameters as well as an encrypted payload.
2. Decrypts the AES payload which reveals the URL “hxxps://lumibytea[.]cbg.ru//”.

3. Afterwards a POST request is sent to “hxxps://lumibytea[.]cbg.ru//” with the following content:

CarPhish: First POST Request Content

This POST request content, as well as the response, can be downloaded from the VMRay’s analysis report:

The response from this request is a second stage payload which again goes through the same Base64 decoding and AES decryption process.

4. Once the second stage payload is decoded and decrypted, we can see the final HTML with over 200 references and strings related to cars. Those references introduce noise to further obfuscate the HTML payload. Moreover, depending on the environment where the URL is browsed, those references can become visible instead of the logon form so that the website appears as a benign car enthusiast website to evade detections. This type of evasion does not get past VMRay’s Web Analysis which makes us provide a solid detection for this threat.

5. Finally if we decide to populate the fake Microsoft’s login form with some data, we can see that the data is being sent as a POST request to “hxxps://lumibytea[.]cbg.ru//2558.php”.

Based on the results from VirusTotal, the URL “hxxps://lumibytea[.]cbg.ru//” has only a few phishing detections even though it is used both to deliver a second stage HTML payload and for stolen data exfiltration. However, the VMRay Platform can still detect this communication and mark the CC server as an IOC:

In addition to the phishing detection, VMRay Threat Identifiers (VTIs) also highlight additional details about the phishing page:

1. Collection of our Yara rules which triggered on this page.
2. Masquerades as a legitimate Microsoft login form.
3. Web page and it’s resources are hosted on a known temporary web hosting service.

Phishing Kit EDG

Overview

EDG is a phishing kit which VMRay researchers discovered back in September and which was already briefly mentioned in our Detection Highlight article. In summary, this kit is crafted to mimic the login pages of email providers, tricking users into believing they are on an authentic site. The name EDG comes from the frequent appearance of pattern “EDG” in many of the URLs which were seen while investigating this phishing kit. Below is an example of a login page generated by EDG (with target information redacted):

Technical Details

Let’s explore the inner workings of this phishing kit and how it can be detected. We can start by looking at one of the initial URLs used in one of the EDG phishing campaigns:

One interesting thing about this URL is that it ends with a string which seems like it is Base64 encoded. The VMRay Platform automatically decodes and identifies this data through one of its VTIs, as demonstrated below:

By supplying this URL to VMRay for analysis, there is an automatic redirect to the following URL:

An interesting thing to observe about this new URL is the “info” parameter which holds the decoded email address from the previous stage. Once the page behind this new URL is fully loaded in the browser, we can see that the decoded email address is actually used to prefill the login form and load a logo of the email provider:

To fully confirm these findings, we submitted the same URL but with a Gmail email address. The result is similar but this time with the correct branding image from Google’s mail service:

In the next stage, we can look at the source of the final phishing page. There are four main sections:

1. This part is JavaScript code which parses the parameters from the current URL and extracts the value from the “info” parameter which is then assigned to the variable “go”. Besides that it defines two variables “policy” and “priv” whose usage will be explained a bit later in this blog post:

   

2. Set the title of the page to “Expired Session” which is a common tactic in phishing attempts to make users believe their session has expired and that they need to log in again.
3. Contains a reference to an external script which could contain additional logic.
4. Contains an iframe element which src attribute is set to #. This is likely used as a placeholder and will be set at a later stage, probably with the use of the external JavaScript script mentioned in point 3.

As mentioned, the next step in analyzing this phishing kit is by looking at the external script index.js for additional logic. Since that script is rather large, following is the explanation of its most important parts:

1. The function GEInfo(emailAddress) is called with the email address supplied from the “info” parameter from the URL. This function queries the endpoint mentioned in “policy” variable and obtains several information like the favicon, login page and container frame:

   

2. The data obtained from the GEInfo() function is then used to pre-fill the username and favicon on the login form as well as the “src” attribute in the iframe.

3. If the user populates the password field and clicks the submit button, the function psignal(apiname, apikey) is called with typed email and password supplied as arguments. This function sends the data to the URL defined in “priv” via a POST request. Just like with the CarPhish phishing kit, this POST request gets processed by the VMRay Platform to extract the IOCs.

   

Like CarPhish phishing kit, the EDG phishing kit uses the same hosting provider to host its pages. The most notable VTIs which trigger and detect this phishing kit are as follows:

1. Collection of our Yara rules which triggered on EDG.
2. The logon page is hosted on a service known for providing temporary hosting solutions.
3. The initial page is hosted on a domain which was recently registered.
4. There is an obfuscated email address embedded in the URL.
5. There is a logon form detected on the page.

Phishing Kit TPass

Overview

TPass is a phishing kit which VMRay researchers first noticed in August and which is still active at the time of writing this blog post. By searching for a specific code artifact contained in the payload HTML file, we can find many samples on VirusTotal (Figure 16). Based on the popularity of TPass in recent months, we have decided to cover it and check in more details how it works and how VMRay can continue on detecting it. If we take any URL associated with this phishing kit and open it in a web browser, we are presented with a rather basic form asking the user to input their username and password.

The first suspicious indicator about this sample is that it’s hosted on IPFS which is a decentralized file storage system. This is already an extremely suspicious indicator since IPFS is not commonly used for hosting login pages. However, this is highlighted in the analysis report by one of our VTIs:

Another detail worth mentioning is the Norton image which is used to deceive the user into thinking that it is legit and secured login site.

Technical Details

Looking at the source of the page, we can see an interesting JavaScript snippet at the bottom of the page:

The purpose of this snippet is to register an event listener on the password entry to trigger when the Enter key (code 13) is released. Once this happens, the button labeled “goNow” is clicked which in turn executes its “onClick” event listener “goNow()“. By looking at this function, we see that it extracts the given email and password and sends them to “hxxps://dimensiondata[.]lk/wp-content/zop/x3.php”:

Phishing Kit Mamba2FA

View the VMRay Analysis Report

Overview

Mamba2FA is a fairly new phishing kit which we first noticed in late September. It’s a sophisticated phishing kit, with its core logic contained within a large, obfuscated JavaScript file. It stands out for offering various themes, some of which require user interaction to access the final phishing page. There have already been several blog posts about the inner working of this phishing kit so we will use this opportunity to go through its variety of themes and check how VMRay Platform performs against them.

Technical Details

As mentioned in the previous section, Mamba2FA comes in several version which are being controlled by a specific parameter in the URL. Each Mamba2FA phishing site comes in the form of:

where the base64 parameters, once decoded, are of the form:

By modifying the “sv” parameter, we can choose among several different themes for the phishing page.

Voice Mail Theme

By setting “sv” to “o365_<number>_voice”, a fake voicemail overlay is presented on the web page. Once any of the buttons are clicked, the overlay disappears and shows a fake Microsoft login site. The analysis of this variant is fully automated by our AutoUI feature which dismisses the voicemail overlay and reveals the logon form for further processing by our platform, resulting in a phishing detection:

OneDrive Theme

This theme of Mamba2FA gets activated if the “sv” parameter is equal to “o365_<number>_one”. The page masquerades a Microsoft login form using a OneDrive background image. In that way it is trying to trick the victim to enter their credentials to make the actual files accessible: