Phishing remains an ever persistent and grave threat to organizations, serving as the primary conduit for infiltrating network infrastructures and pilfering valuable credentials. According to... Read ›
Evasive Phishing Kits Exposed: Cato Networks’ In-Depth Analysis and Real-Time Defense Phishing remains an ever persistent and grave threat to organizations, serving as the primary conduit for infiltrating network infrastructures and pilfering valuable credentials. According to an FBI report phishing is ranked number 1 in the top five Internet crime types.
Recently, the Cato Networks Threat Research team analyzed and mitigated through our IPS engine multiple advanced Phishing Kits, some of which include clever evasion techniques to avoid detection.In this analysis, Cato Networks Research Team exposes the tactics, techniques, and procedures (TTPs) of the latest Phishing Kits.
Here are four recent instances where Cato successfully thwarted phishing attempts in real-time:
Case 1: Mimicking Microsoft Support
When a potential victim clicks on an email link, they are led to a web page presenting an 'Error 403' message, accompanied by a link purportedly connecting them to Microsoft Support for issue resolution, as shown in Figure 2 below:
Figure 2 - Phishing Landing Page
Upon clicking "Microsoft Support," the victim is redirected to a deceptive page mirroring the Microsoft support center, seen in Figure 3 below:
Figure 3 – Fake Microsoft Support Center Website
Subsequently, when the victim selects the "Microsoft 365” Icon or clicks the “Signin" button, a pop-up page emerges, offering the victim a choice between "Home Support" and "Business Support”, shown in Figure 4 below:
Figure 4 – Fake Support Links
Opting for "Business Support" redirects them to an exact replica of a classic O365 login page, which is malicious of course, illustrated in Figure 5 below:
Figure 5 – O365 Phishing Landing Page
Case 2: Rerouting and Anti-Debugging Measures
In this scenario, a victim clicks on an email link, only to find themselves directed to an FUD phishing landing page, as illustrated in Figure 6 below. Upon scrutinizing the domain on Virus Total, it's noteworthy that none of the vendors have flagged this domain as phishing. The victim is seamlessly rerouted through a Cloudflare captcha, a strategic measure aimed at thwarting Anti-Phishing crawlers, like urlscan.io.
Figure 6 – FUD Phishing Landing Page
In this example we’ll dive into the anti-debugging capabilities of this phishing kit. Oftentimes, security researchers will use the browser’s built-in “Developer Tools” on suspicious websites, allowing them to dig into the source code and analyze it.The phishing kit has cleverly integrated a function featuring a 'debugger' statement, typically employed for debugging purposes. Whenever a JavaScript engine encounters this statement, it abruptly halts the execution of the code, establishing a breakpoint. Attempting to resume script execution triggers the invocation of another such function, aimed at thwarting the researcher's debugging efforts, as illustrated in Figure 7 below.
Figure 7 – Anti-Debugging Mechanism
Figure 8 – O365 Phishing Landing PageAlternatively, phishing webpages employ yet another layer of anti-debugging mechanisms. Once debugging mode is detected, a pop-up promptly emerges within the browser. This pop-up redirects any potential security researcher to a trusted and legitimate domain, such as microsoft.com. This is yet another means to ensure that the researcher is unable to access the phishing domain, as illustrated below:
Case 3: Deceptive Chain of Redirection
In this intriguing scenario, the victim was led to a deceptive Baidu link, leading him to access a phishing webpage. However, the intricacies of this attack go deeper.Upon accessing the Baidu link, the victim is redirected to a third-party resource that is intended for anti-debugging purposes. Subsequently, the victim is redirected to the O365 phishing landing page.
This redirection chain serves a dual purpose. It tricks the victim into believing they are interacting with a legitimate domain, adding a layer of obfuscation to the malicious activities at play. To further complicate matters, the attackers employ a script that actively checks for signs of security researchers attempting to scrutinize the webpage and then redirect the victim to the phishing landing page in a different domain, as demonstrated in Figure 9 below from urlscan.io:
Figure 9 – Redirection Chain
The third-party domain plays a pivotal role in this scheme, housing JavaScript code that is obfuscated using Base64 encoding, as revealed in Figure 10:
Figure 10 – Obfuscated JavaScript
Upon decoding the Base64 script, its true intent becomes apparent. The script is designed to detect debugging mode and actively prevent any attempts to inspect the resource, as demonstrated in Figure 11 below:
Figure 11 – De-obfuscated Anti-Debugging Script
[boxlink link="https://catonetworks.easywebinar.live/registration-network-threats-attack-demonstration"] Network Threats: A Step-by-step Attack Demonstration | Register Now [/boxlink]
Case 4: Drop the Bot!
A key component of a classic Phishing attack is the drop URL. The attack's drop is used as a collection point for stolen information. The drop's purpose is to transfer the victim's compromised credentials into the attack's “Command and Control” (C2) panel once the user submits their personal details into the fake website's fields. In many cases, this is achieved by a server-side capability, primarily implemented using languages like PHP, ASP, etc., which serves as the backend component for the attack.There are two common types of Phishing drops:- A drop URL hosted on the relative path of the phishing attack's server.- A remote drop URL hosted on a different site than the one hosting the attack itself.One drop to rule them all - An attacker can leverage one external drop in multiple phishing attacks to consolidate all the phished credentials into one Phishing C2 server and make the adversary's life easier.A recent trend involves using the Telegram Bot API URL as an external drop, where attackers create Telegram bots to facilitate the collection and storage of compromised credentials. In this way, the adversary can obtain the victim's credentials directly, even to their mobile device, anywhere and anytime, and can conduct the account takeover on the go. In addition to its effectiveness in aiding attackers, this method also facilitates evasion of Anti-Phishing solutions, as dismantling Telegram bots proves to be a challenging task.
Bot Creation Stage
Credentials Submission
Receiving credentials details of the victim on the mobile
How Cato protects you against FUD (Fully Undetectable) Phishing
With Cato's FUD Phishing Mitigation, we offer organizations a dynamic and proactive defense against a wide spectrum of phishing threats, ensuring that even the most sophisticated attackers are thwarted at every turn.
Cato’s Security Research team uses advanced tools and strategies to detect, analyze, and build robust protection against the latest Phishing threats.Our protective measures leverage advanced heuristics, enabling us to discern legitimate webpage elements camouflaged in malicious sites. For instance, our system can detect anomalies like a genuine Office365 logo embedded in a site that is not affiliated with Microsoft, enhancing our ability to safeguard against such deceptive tactics. Furthermore, Cato employs a multi-faceted approach, integrating Threat Intelligence feeds and Newly Registered domains Identification to proactively block phishing domains. Additionally, our arsenal includes sophisticated machine learning (ML) models designed to identify potential phishing sites, including specialized models to detect Cybersquatting and domains created using Domain Generation Algorithms (DGA).
The example below taken from Cato’s XDR, is just a part of an arsenal of tools used by the Cato Research Team, specifically showing auto-detection of a blocked Phishing attack by Cato’s Threat Prevention capabilities.
IOCs:
leadingsafecustomers[.]com
Reportsecuremessagemicrosharepoint[.]kirkco[.]us
baidu[.]com/link?url=UoOQDYLwlqkXmaXOTPH-yzlABydiidFYSYneujIBjalSn36BarPC6DuCgIN34REP
Dandejesus[.]com
bafkreigkxcsagdul5r7fdqwl4i4zg6wcdklfdrtu535rfzgubpvvn65znq[.]ipfs.dweb[.]link
4eac41fc-0f4f23a1[.]redwoodcu[.]live
Redwoodcu[.]redwoodcu[.]live
The world of cybersecurity is a never-ending battle, with malicious actors constantly devising new ways to exploit vulnerabilities and infiltrate networks. One such threat, causing... Read ›
The Evolution of Qakbot: How Cato Networks Adapts to the Latest Threats The world of cybersecurity is a never-ending battle, with malicious actors constantly devising new ways to exploit vulnerabilities and infiltrate networks. One such threat, causing headaches for security teams for over a decade, is the Qakbot Trojan, also known as Qbot. Qakbot has been used in malicious campaigns since 2007, and despite many attempts to stamp it out, continues to evolve and adapt in an attempt to evade detection.
Recently, the Cato Networks Threat Research team analyzed several new variants of Qakbot that exhibited advanced capabilities and evasive techniques to avoid detection and quickly built and deployed protection for the additional changes into the Cato Networks IPS. In this analysis, Cato Networks Research Team exposes the tactics, techniques, and procedures (TTPs) of the latest Qakbot variant and explores its potential impact on enterprises and organizations if left alone.
Why Now?
During the COVID-19 pandemic, an eruption of cyberattacks occurred, including significant growth of attacks involving ransomware. As part of this surge, Qakbot’s threat actor adapted and paired with other adversaries to carry out ferocious multi-stage attacks with significant consequences.
Qakbot is sophisticated info-stealing malware, notorious as a banking trojan, and is often used to steal financial information and conduct fraudulent financial transactions. Pursuing even larger gains, in the last few years, Qakbot targets have shifted from retail users to businesses and organizations.
As recent versions of Qakbot emerge, they present new infection techniques to both avoid detection and maintain persistence on the infected systems. Qakbot’s latest design updates, and additionally complex multi-stage infection processes, enable it to evade detection using most traditional security software detection techniques, and pose a significant and ongoing threat to unprotected businesses and organizations.
How Do the Latest Versions of Qakbot Work?
The first stage of the Qakbot infection process begins when a user clicks on a link inside a malicious email attachment. In the latest Qakbot versions, the malicious file attachments are typically ZIP, OneNote or WSF files (a file type used by the Microsoft Windows Script Host.). Zip, OneNote and WSF files are commonly used by malicious actors as they make it easier to evade the Mark of the Web (MOTW). MOTW is a security mechanism implemented by Microsoft to detect and block files with macros (such as Excel files) that were downloaded from the internet and may be compromised. By using file types that do not receive MOTW, Qakbot attachments are more likely to evade detection and blocking.
When the user opens the WSF or OneNote file and clicks the embedded link, Qakbot covertly launches a series of commands, allowing the malware to infect the system and take additional measures to evade detection.
[boxlink link="https://www.catonetworks.com/resources/cato-networks-sase-threat-research-report/"] Cato Networks SASE Threat Research Report H2/2022 | Download the Report [/boxlink]
Malicious files are cloaked as innocuous files by abusing Living Off the Land Binaries (LOLBins) and by imitating commonly used file types, such as Adobe Cloud files, to stay hidden. LOLBins are legitimate binaries or executables found in the Windows operating system that are also used by attackers to carry out malicious activities. These binaries are typically present on most Windows machines and are legitimately used for system maintenance and administration tasks but can easily be abused to execute malicious code or achieve persistence on compromised systems. Attackers commonly make use of LOLBins because they are present on most Windows systems and are typically on the allow list of common security software, making them more difficult to detect and block. Examples of common LOLBins include cmd.exe, powershell.exe, rundll32.exe and regsvr32.exe.
After the initial infection stage is complete, Qakbot expands its footprint on the infected system and eventually uses encrypted communication with Qakbot command and control (C2) servers to further conceal its activities and evade detection.
An example of a shared malicious PDF attachment instructing the victim to execute the bundled .wsf file
Let’s explore four different recent Qakbot infection scenarios to learn exactly how they operate.
Scenario 1: Malicious email with an embedded .hta file, hidden within a OneNote file attachment, leading to multi-stage infection process:
From the malicious email, the user (victim), is led to click a malicious link hidden inside a legitimate looking OneNote file attachment. After clicking the link, the infection chain begins.The malicious link is in actuality, an embedded .hta file, executed when the link is clicked. The .hta file includes a VBscript code used to deliver the Qakbot payload and infect the device. Windows uses MSHTA.exe to execute .hta files. Typically, MSHTA.exe is used legitimately to execute HTML applications, and that is why this process usually evades detection as being malicious.
Embedded malicious .hta file using VBScript to execute commands on the operating system
After the .hta file is initiated, it executes curl.exe to force download an infected dll file from a remote C2 Qakbot server. The Qakbot payload is disguised as an image file to evade detection during the download process. Curl is another normally legitimate tool, used for transferring data over the internet.
De-obfuscated code from the .hta file showing the execution of curl.exe and the Qakbot payload
The .hta file then executes the Qakbot dll file using rundll32.exe.Rundll32.exe is another normally legitimate Windows application used to run DLL files. In this scenario, executing rundll32.exe allows the malicious DLL file, disguised as an image, to be successfully loaded into the system, undetected.
Example of Qakbot’s infection chain
Loaded onto the system successfully, Qakbot then hides itself by spawning a new process of wermgr.exe and injecting its code into it. Wermgr.exe is a legitimate Windows Event Log application. Masquerading as a legitimate process enables the malware to run in the background and avoid detection by most common anti-virus software.
Scenario 2: Like Scenario 1, but in this variation, a malicious email with an embedded .cmd file is hidden within a OneNote file attachment, leading to a multi-stage infection process.
From the malicious email, the user (victim), is led to click the malicious link hidden inside a legitimate OneNote file attachment. After clicking the link, Qakbot begins the infection chain.The malicious link is in actuality, an embedded .cmd file, and executes when the link is clicked. Windows uses CMD.exe to execute the .cmd file. CMD.exe is a legitimate command-line interpreter, used to execute commands in Windows operating systems. Being a LOLBin, this process is usually abused to evade detection.
.cmd file content
The .cmd file invokes PowerShell to force download an encrypted payload from a remote Qakbot C2 server.PowerShell is a powerful scripting language built into Windows operating systems and is typically used for task automation.
Decoded base64 string from the .cmd script
The downloaded payload dll file is executed using Rundll32.exe, with the same purpose as in the previous scenario.
Loaded onto the system successfully, Qakbot then hides itself by spawning a new process of wermgr.exe and injecting its code into it.
Scenario 3: Malicious email with a Zip attachment bundling a .WSF (Windows Script File) file.
In this variation, a malicious email with an infected WSF file is hidden within a Zip attachment designed to mimic an Adobe Cloud certificate. The Zip file often has a legitimate-looking name and is specifically designed to trick the user (victim) into thinking the attachment is safe and harmless.
From the malicious email, the user (victim), is led to open the attachment and extract the files it bundles. Inside the Zip there are 3 files: .WSF, PDF and TXT. The PDF and TXT are decoy files, leading the user to click and open the .WSF file, initiating the infection chain.Typically, .WSF files contain a sequence of legitimate commands executed by Windows Script Host. In this case, the WSF file contains a script that executes the next stage of the Qakbot infection process.
Obfuscated malicious JavaScript hidden inside the .WSF file padded to look like a certificate
An obfuscated script (written in JavaScript), within the malicious .WSF file initiates force download of the payload from a Qakbot C2 server.
The obfuscated script executes the Qakbot dll using Rundll32.exe.
Loaded onto the system successfully, Qakbot moves to hide itself, spawning a new wermgr.exe process and injecting its code into it.
Scenario 4: Malicious email with .html attachment using the HTML Smuggling techniqueHTML Smuggling is a technique that allows threat actors to smuggle malicious binary code into a system by cloaking the malicious binary within an innocuous looking .html attachment.
From the malicious email, the user (victim), is led to open the innocuous looking .html attachment containing the hidden binary. In some cases, the .html file arrives within a ZIP archive file, adding an additional step to the complexity of the attack.
Once opened, the .html file delivers a malicious, password-protected, .ZIP archive file stored within the code of the attachment. The file password is provided in the .html file.
Malicious .html file – fooling the victim into opening the password-protected .ZIP file
Inside, the .ZIP archive file, a malicious .img file is bundled.IMG are binary files that store raw disk images of floppy disks, hard drives, or optical discs. IMG and ISO files are commonly used legitimately to install large software. In the case of Qakbot, once the IMG file is loaded, it mounts itself as a drive and exposes its contents.
The malicious .img file actually bundles several other files, including a .LNK (Windows shortcut file) file. Executing the .LNK file initiates the complex infection chain using the other files within the mounted .img file.
During the infection chain, a malicious .WSF file is executed, invoking PowerShell to force download an encrypted payload (the Qakbot dll) from a remote Qakbot C2 server. PowerShell is a powerful scripting language built into Windows operating systems and is typically used for task automation.
Request to download Qakbot’s dll from the C2 server using PowerShell
The .WSF script then executes the Qakbot dll using Rundll32.exe.
Loaded onto the system successfully, Qakbot moves to hide itself, spawning a new wermgr.exe process and injecting its code into it.
Potential Damage
After Qakbot infects a system, the malware evaluates and performs reconnaissance on the infected environment. If the environment is worthwhile, Qakbot downloads additional tools, such as Cobalt Strike or Brute Ratel frameworks. These frameworks are commercially used by Red Teams for penetration testing purposes.
Unfortunately, leaked versions of many penetration testing frameworks have also found their way to the open market and are abused by threat actors. Using these tools, threat actors perform advanced post-exploitation actions, including privilege escalation, and lateral movement.
Eventually, the greatest threat posed by Qakbot and similar families of malware is ransomware. In some of the most recent attacks, Qakbot has been observed delivering BlackBasta ransomware. BlackBasta is a notoriously effective ransomware variant, used to successfully attack many businesses throughout the US and Europe. BlackBasta uses the double extortion technique, where an attacker demands a ransom payment to restore the victim’s access to their own encrypted files and/or data and threatens to sell the user or organizational data on the Darknet if the ransom is not paid.
Cato Networks internal security team dashboard displays a suspected attempt to exfiltrate data
How Cato Protects You Against Qakbot
Qakbot, like other malware, is constantly evolving and being updated with new methods and attempts at infection and infiltration. Making sure your current threat detection solution can detect and block these types of changes to malware threats as quickly as possible is critical to your ongoing organizational security. Cato Networks IPS (Intrusion Prevention System) was immediately updated with the latest changes to Qakbot in order to block the malware from communicating with its C2 servers.Cato’s Security Research team uses advanced tools and strategies to detect, analyze and build robust protection against the latest threats. The following dashboard view is part of an arsenal of tools used by the Cato Research Team and shows auto-detection of a suspected Qakbot attack and blocking by Cato IPS from any additional communication between the malware and its C2 servers.
Cato Networks internal security team dashboard displaying detection and blockage of outbound Qakbot communication
It has never been clearer that no company can expect to fight the constant evolution of malware and malicious attacks without help from the experts. Cato’s Security Research team remains committed to continuously monitoring and updating our solutions to protect your organization against the latest threats. Utilizing the Cato Networks solution, enjoy an enhanced overall security posture, safeguard against the ever-evolving threat of malware, and confidently prioritize what truly matters - your business.To learn more about how Cato protects against Qakbot and similar threats and intrusions and how you can mitigate security risks for your organization, check out our articles on intrusion prevention, security services, and managed threat detection and response.
Indicators of compromise (IOCs)
Scenario #1
352a220498b886fae5cd1fe1d034fe1cebca7c6d75c00015aca1541d19edbfdf - .zip
5c7e841005731a225bfb4fa118492afed843ba9b26b4f3d5e1f81b410fa17c6d - .zip
002fe00bc429877ee2a786a1d40b80250fd66e341729c5718fc66f759387c88c - .one
d1361ebb34e9a0be33666f04f62aa11574c9c551479a831688bcfb3baaadc71c - .one
9e8187a1117845ee4806c390bfa15d6f4aaca6462c809842e86bc79341aec6a7 - .one
145e9558ad6396b5eed9b9630213a64cc809318025627a27b14f01cfcf644170 - .hta
baf1aef91fe1be5d34e1fc17ed54ea4f7516300c7b82ebf55e33b794c5dc697f - .hta
Scenario #2
1b553c8b161fd589ead6deb81fdbd98a71f6137b6e260c1faa4e1280b8bd5c40 - .one
e1f606cc13e9d4bc4b6a2526eaa74314f5f4f67cea8c63263bc6864303537e5f - .one
06a3089354da2b407776ad956ff505770c94581811d4c00bc6735665136663a7 - .cmd
5d03803300c3221b1233cdc01cbd45cfcc53dc8a87fba37e705d7fac2c615f21 - .cmd
Scenario #3
1b3b1a86a4344b79d495b80a18399bb0d9f877095029bb9ead2fcc7664e9e89c - .zip
523ea1b66f8d3732494257c17519197e4ed7cf71a2598a88b4f6d78911ad4a84 - .zip
fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458 - .wsf
6d544064dbf1c5bb9385f51b15e72d3221eded81ac63f87a968062277aeee548 - .wsf
Scenario #4
3c8591624333b401712943bc811c481b0eaa5a4209b2ec99b36c981da7c25b89 - .html
8c36814c55fa69115f693543f6b84a33161825d68d98e824a40b70940c3d1366 - .html
2af19508eebe28b9253fd3fafefbbd9176f6065b2b9c6e6b140b3ea8c605ebe8 - .html
040953397363bad87357a024eab5ba416c94b1532b32e9b7839df83601a636f4 - .html
42bd614f7452b3b40ffcad859eae95079f1548070980cab4890440d08390bd29 - .zip
08a1f7177852dd863397e3b3cfc0d79e2f576293fbb9414f23f1660345f71ccc – .zip
0d2ad33586c6434bd30f09252f311b638bab903db008d237e9995bfda9309d3a - .zip
878f3ccb51f103e00a283a1b44bb83c715b8f47a7bab55532a00df5c685a0b1d - .zip
B087012cc7a352a538312351d3c22bb1098c5b64107c8dca18645320e58fd92f - .img
Qakbot payload
d6e499b57fdf28047d778c1c76a5eb41a03a67e45dd6d8e85e45bac785f64d42
6decda40aeeccbcb423bcf2b34cf19840e127ebfeb9d79022a891b1f2e1518c3
e99726f967f112c939e4584350a707f1a3885c1218aafa0f234c4c30da8ba2af
5d299faf12920231edc38deb26531725c6b942830fbcf9d43a73e5921e81ae5c
acf5b8a5042df551a5fe973710b111d3ef167af759b28c6f06a8aad1c9717f3d
442420af4fc55164f5390ec68847bba4ae81d74534727975f47b7dd9d6dbdbe7
ff0730a8693c2dea990402e8f5ba3f9a9c61df76602bc6d076ddbc3034d473c0
bcfd65e3f0bf614bb5397bf8d4ae578650bba6af6530ca3b7bba2080f327fdb0
Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows... Read ›
Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here's what they're doing and how you (or your security vendor) can detect and stop these attacks.
Phishing Attacks Tap Collaboration Platforms
Phishing continues to be one of the most dangerous threats to organizations as an initial vector to infiltrate the network organization or to steal organization credentials. We see, on average, 8,000 entrances to phishing sites per month, all of which are blocked or logged by the Cato SASE Cloud (Figure 1).
[caption id="attachment_22118" align="alignnone" width="568"] Figure 1 – On average, we’re seeing 8,000 entrances to phishing sites per month[/caption]
The bulk of phishing attacks typically rely on email domains such as Gmail to make it appear to unsuspecting victims that they are just receiving one more innocuous message from a trusted domain. But increasingly, we’re seeing the use of compromised accounts such as Microsoft “OneNote” and “ClickUp” to distribute URLs that are actually phishing attacks. Collaboration platforms have, in effect, become another vehicle for distributing malware.
[boxlink link="https://www.catonetworks.com/resources/ransomware-is-on-the-rise-catos-security-as-a-service-can-help?utm_source=blog&utm_medium=top_cta&utm_campaign=ransomware_ebook"] Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook [/boxlink]
Staying Under the Radar
The delivery stage of such an attack starts with an email from a compromised email account in one organization, usually a known partner, that doesn’t attract suspicion. The use of a real email account makes the phishing attack appear to be a legitimate email. Unfortunately, the email is anything but legitimate. It typically contains some social-engineering script with a link to a compromised “OneNote” or “ClickUp” account that makes it challenging to detect. In the case illustrated below, the “OneNote” account even contains a “look-alike” file that is an image resource with a link that redirects the phishing victim to what appears to be the Office 365 landing page. The OneNote account is even designed to be replaced by other compromised accounts if the account being used is reset.
[caption id="attachment_22092" align="alignnone" width="724"] Figure 2 – The overall phishing attack flow starts with an “innocent” email (1) linking to a compromised account (2), such as OneNote, which redirects the victim to what looks like an Office 365 login page(3). [/caption]
It turns out phishing attack is also hosted on a legitimate service called “Glitch” that is typically used for web development. The cybercriminals in this example made sure the attack would go undetected from delivery all the way to the final landing page by most of the security tools organizations commonly employ.
Phishing Kit Anatomy
These attacks are also unique in that once credentials are submitted, the victim’s data is being sent using HTTP-POST to the “drop URL” that is placed in a remote server. In most of the attacks that we’ve analyzed, the most common PHP remote drop file name was named next.php or n.php.
Fortunately, many of the perpetrators of these attacks don’t remove the phishing kit from the attack’s web server. By probing the site, you may find the phishing kit placed within the site such as the Office 365 example below:
[caption id="attachment_22094" align="alignnone" width="2064"] Figure 3– Open directory listing contains phishing kit [/caption]
This analysis makes it then possible to identify characteristics of the phishing kit that can be used to find new ways to block phishing domains that now routinely include collaboration platforms.
Phishing Kit Code Analysis
Going deeper, we also dissected some of the kit to uncover a few interesting pieces of code that are worth noting.
For example, we can see the email that is used to receive the victim information (see Figure 8.). Usually, phishing kits are sold on the Darknet for relatively low prices. Looking at the analyzed PHP code snippet of the phishing kit (Figure 8), the “$recipient” variable should be filled by the buyer's drop email to capture the compromised credentials. However, the comment “Put your email address here” also make it easy for even someone with no coding skills to configure the attack settings.
[caption id="attachment_22096" align="alignnone" width="1088"] Figure 4 – phishing kit code settings[/caption]
In addition, we can see the $finish_url variable is set to Office’s o365. That means once the credentials are submitted the victim will be redirected to the official O365 website, so they don’t suspect that he was a victim of a phishing scam.
Another interesting element is the validation of the authentication. If the authentication is validated then the victim information will be encoded with bas64 and sent to a specific chosen URL. The URL is encoded in base64 to obfuscate the URL destination (inside the function base64_decode). The purpose of this URL is to be used as a DB file with all the victim’s information.
[caption id="attachment_22098" align="alignnone" width="2456"] Figure 5 – Authentication code snippet[/caption]
As can be shown in the snippet (Figure 8) the information that the phishing scam exfiltrated is not only the credentials of the victim but also additional information such as client IP, country, region, and city.
[caption id="attachment_22100" align="alignnone" width="2406"] Figure 6 – Exfiltrated information[/caption]
We have also analyzed domains that use the same phishing kit so we can see a few network characteristics that can be used to block this campaign.
For example, once you submit the credentials you receive the following response from the server {"signal":"ok","msg":"InValid Credentials"}. We have observed similar responses received from different phishing domains that use the same kit. This behavior can be used to detect a user that inserted information required by the phishing attack.
Attackers Are Able to Evade Phishing Solutions
While there are many solutions for detecting phishing, we still see adversaries finding new techniques to evade them. The use of trusted collaboration platforms is more much insidious than the familiar email-based attack that most security teams already know how to counter. However, it’s also apparent that by examining code and network attributes, IT teams can detect and stop these attacks.
In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. In June, Microsoft Security Intelligence warned about BazarCall... Read ›
How to Detect DNS Tunneling in the Network? In the past several years, we have seen multiple malware samples using DNS tunneling to exfiltrate data. In June, Microsoft Security Intelligence warned about BazarCall (or BazaLoader), a scam infecting victims with malware to get them to call a phony call center. BazarCall can lead to Anchor malware that uses DNS tunneling to communicate with C2 servers. APT groups also used DNS tunneling in a malware campaign to target government organizations in the Middle East. We will present a few techniques you can use to detect DNS tunneling in your network.
DNS Tunneling in a Nutshell
So how do attackers use DNS tunneling in their malware? It’s simple:
First, they register a domain that is used as a C&C server.
Next, the malware sends DNS queries to the DNS resolver.
Then the DNS server routes the query to the C2 server.
Finally, the connection between the C2 server and the infected host is established.
For attackers, DNS tunneling provides a convenient way to exfiltrate data and to gain access to a network because DNS communications are often unblocked. At the same time, DNS tunneling has very distinct network markers that you can use to detect DNS tunneling on your network.
[boxlink link="https://www.catonetworks.com/resources/eliminate-threat-intelligence-false-positives-with-sase?utm_source=blog&utm_medium=top_cta&utm_campaign=eliminate_threat_ebook"] Eliminate Threat Intelligence False Positives with SASE | Download eBook [/boxlink]
DNS Tunnel to an Any Device
In terms of network markers, TXT type queries are very common in DNS tunneling. However, DNS tunneling can also be used in uncommon query types, such as type 10 (NULL).
To detect DNS tunneling in your network you need to examine long DNS queries and uncommon DNS query types, distinguish between legitimate security solutions as AVs and malicious traffic, and distinguish between human-generated DNS traffic and Bot-generated traffic.
In the following example, we will analyze the algorithm behind the DNS tunneling traffic that we have seen in our customer networks. We have seen many cases of DNS tunneling used on Windows, however in the following example it was used on Android.
Examine the Algorithm Generating the DNS
We have seen a few common characteristics where DNS queries were used on Android DNS tunneling use-cases. In the screenshot (figure 1) we can see the same algorithm used in multiple DNS queries. We have broken the algorithm into eight parts:
[caption id="attachment_19801" align="alignnone" width="1842"] Figure 1 - DNS tunneling example[/caption]
In figure 1, we can see the same algorithm used in multiple DNS queries. We have broken the algorithm into 5 parts:
There are 4-11 characters in the first part - Red
The first 6 characters in the second part are repeated between different queries - Blue
There are 63 characters in the next parts - Yellow
The last section has 10 characters - Black
The first letter in the second part is repeated with a unified string - Green
By examining the algorithm, we can understand that these DNS queries originate from the same Bot, since they have the same algorithm. We can also assume it is Bot traffic, since it's a unified algorithm that is repeated in different DNS queries. Bot-generated traffic tends to be consistent and uniform.
Examine the Destination
Next, we examine the destination of the DNS queries. By examining the destination, we identify several unknown servers. When we examined what other DNS queries those servers received, we couldn’t find any except the tunneling queries. If you can’t find any legitimate traffic to the DNS server, it’s another indicator that this is server may be used by malware.
Examine the Popularity
Given a sufficiently large networks, developing an algorithm for measuring the popularity of IP/Domain among your users will also help hunt malware. By using such a Popularity algorithm across the hundreds of thousands of users on the Cato network, we can see that the popularity of the servers in the DNS queries to be low. Low popularity of an IP is often an indicator of a malicious server as the server may only used by the malware. Low popularity alone, however, is insufficient to determine a malicious site. It must be joined with other indicators, such as the ones outlined above.
Conclusion
DNS tunneling is an old technique that allows attackers to communicate with C2 servers and exfiltrate data through many firewalls. Focusing on the network characteristics, though, allows the threat to be identified. In our case, we found multiple DNS queries generated by an algorithm, a destination with unknown servers, and servers that were unpopular. Any one indicator alone may not reflect malicious communications but together there’s a very high probability that this session is malicious — a fact that we validated through manual investigation. It was an excellent example of how combining networking and security information can lead to better threat detection.
