Evasive Phishing Kits Exposed: Cato Networks’ In-Depth Analysis and Real-Time Defense

Listen to post: Getting your Trinity Audio player ready...

Phishing remains an ever persistent and grave threat to organizations, serving as the primary conduit for infiltrating network infrastructures and pilfering valuable credentials. According to an FBI report phishing is ranked number 1 in the top five Internet crime types.

Recently, the Cato Networks Threat Research team analyzed and mitigated through our IPS engine multiple advanced Phishing Kits, some of which include clever evasion techniques to avoid detection.

In this analysis, Cato Networks Research Team exposes the tactics, techniques, and procedures (TTPs) of the latest Phishing Kits.

Here are four recent instances where Cato successfully thwarted phishing attempts in real-time:

Case 1: Mimicking Microsoft Support

When a potential victim clicks on an email link, they are led to a web page presenting an ‘Error 403’ message, accompanied by a link purportedly connecting them to Microsoft Support for issue resolution, as shown in Figure 2 below:

Figure 2 – Phishing Landing Page

Upon clicking “Microsoft Support,” the victim is redirected to a deceptive page mirroring the Microsoft support center, seen in Figure 3 below:

Figure 3 – Fake Microsoft Support Center Website

Subsequently, when the victim selects the “Microsoft 365” Icon or clicks the “Signin” button, a pop-up page emerges, offering the victim a choice between “Home Support” and “Business Support”, shown in Figure 4 below:

Figure 4 – Fake Support Links

Opting for “Business Support” redirects them to an exact replica of a classic O365 login page, which is malicious of course, illustrated in Figure 5 below:

Figure 5 – O365 Phishing Landing Page

Case 2: Rerouting and Anti-Debugging Measures

In this scenario, a victim clicks on an email link, only to find themselves directed to an FUD phishing landing page, as illustrated in Figure 6 below. Upon scrutinizing the domain on Virus Total, it’s noteworthy that none of the vendors have flagged this domain as phishing. The victim is seamlessly rerouted through a Cloudflare captcha, a strategic measure aimed at thwarting Anti-Phishing crawlers, like urlscan.io.

Figure 6 – FUD Phishing Landing Page

In this example we’ll dive into the anti-debugging capabilities of this phishing kit. Oftentimes, security researchers will use the browser’s built-in “Developer Tools” on suspicious websites, allowing them to dig into the source code and analyze it.
The phishing kit has cleverly integrated a function featuring a ‘debugger’ statement, typically employed for debugging purposes. Whenever a JavaScript engine encounters this statement, it abruptly halts the execution of the code, establishing a breakpoint. Attempting to resume script execution triggers the invocation of another such function, aimed at thwarting the researcher’s debugging efforts, as illustrated in Figure 7 below.

Figure 7 – Anti-Debugging Mechanism

Figure 8 – O365 Phishing Landing Page

Alternatively, phishing webpages employ yet another layer of anti-debugging mechanisms. Once debugging mode is detected, a pop-up promptly emerges within the browser. This pop-up redirects any potential security researcher to a trusted and legitimate domain, such as microsoft.com. This is yet another means to ensure that the researcher is unable to access the phishing domain, as illustrated below:

Case 3: Deceptive Chain of Redirection

In this intriguing scenario, the victim was led to a deceptive Baidu link, leading him to access a phishing webpage. However, the intricacies of this attack go deeper.
Upon accessing the Baidu link, the victim is redirected to a third-party resource that is intended for anti-debugging purposes. Subsequently, the victim is redirected to the O365 phishing landing page.

This redirection chain serves a dual purpose. It tricks the victim into believing they are interacting with a legitimate domain, adding a layer of obfuscation to the malicious activities at play. To further complicate matters, the attackers employ a script that actively checks for signs of security researchers attempting to scrutinize the webpage and then redirect the victim to the phishing landing page in a different domain, as demonstrated in Figure 9 below from urlscan.io:

Figure 9 – Redirection Chain

The third-party domain plays a pivotal role in this scheme, housing JavaScript code that is obfuscated using Base64 encoding, as revealed in Figure 10:

Figure 10 – Obfuscated JavaScript

Upon decoding the Base64 script, its true intent becomes apparent. The script is designed to detect debugging mode and actively prevent any attempts to inspect the resource, as demonstrated in Figure 11 below:

Figure 11 – De-obfuscated Anti-Debugging Script

Network Threats: A Step-by-step Attack Demonstration | Register Now

Case 4: Drop the Bot!

A key component of a classic Phishing attack is the drop URL. The attack’s drop is used as a collection point for stolen information. The drop’s purpose is to transfer the victim’s compromised credentials into the attack’s “Command and Control” (C2) panel once the user submits their personal details into the fake website’s fields. In many cases, this is achieved by a server-side capability, primarily implemented using languages like PHP, ASP, etc., which serves as the backend component for the attack.
There are two common types of Phishing drops:

– A drop URL hosted on the relative path of the phishing attack’s server.

– A remote drop URL hosted on a different site than the one hosting the attack itself.
One drop to rule them all – An attacker can leverage one external drop in multiple phishing attacks to consolidate all the phished credentials into one Phishing C2 server and make the adversary’s life easier.

A recent trend involves using the Telegram Bot API URL as an external drop, where attackers create Telegram bots to facilitate the collection and storage of compromised credentials. In this way, the adversary can obtain the victim’s credentials directly, even to their mobile device, anywhere and anytime, and can conduct the account takeover on the go. In addition to its effectiveness in aiding attackers, this method also facilitates evasion of Anti-Phishing solutions, as dismantling Telegram bots proves to be a challenging task.

Bot Creation Stage

Credentials Submission

Receiving credentials details of the victim on the mobile

How Cato protects you against FUD (Fully Undetectable) Phishing

With Cato’s FUD Phishing Mitigation, we offer organizations a dynamic and proactive defense against a wide spectrum of phishing threats, ensuring that even the most sophisticated attackers are thwarted at every turn.

Cato’s Security Research team uses advanced tools and strategies to detect, analyze, and build robust protection against the latest Phishing threats.
Our protective measures leverage advanced heuristics, enabling us to discern legitimate webpage elements camouflaged in malicious sites. For instance, our system can detect anomalies like a genuine Office365 logo embedded in a site that is not affiliated with Microsoft, enhancing our ability to safeguard against such deceptive tactics. Furthermore, Cato employs a multi-faceted approach, integrating Threat Intelligence feeds and Newly Registered domains Identification to proactively block phishing domains. Additionally, our arsenal includes sophisticated machine learning (ML) models designed to identify potential phishing sites, including specialized models to detect Cybersquatting and domains created using Domain Generation Algorithms (DGA).

The example below taken from Cato’s XDR, is just a part of an arsenal of tools used by the Cato Research Team, specifically showing auto-detection of a blocked Phishing attack by Cato’s Threat Prevention capabilities.

IOCs:

leadingsafecustomers[.]com

Reportsecuremessagemicrosharepoint[.]kirkco[.]us

baidu[.]com/link?url=UoOQDYLwlqkXmaXOTPH-yzlABydiidFYSYneujIBjalSn36BarPC6DuCgIN34REP

Dandejesus[.]com

bafkreigkxcsagdul5r7fdqwl4i4zg6wcdklfdrtu535rfzgubpvvn65znq[.]ipfs.dweb[.]link

4eac41fc-0f4f23a1[.]redwoodcu[.]live

Redwoodcu[.]redwoodcu[.]live