Blog

"NextPHP" Phishing Campaign

BY eSentire Threat Response Unit (TRU)

December 18, 2023 | 5 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In November 2023, our Threat Response Unit (TRU) observed an AiTM (Adversary in the Middle) phishing campaign targeting eSentire employees.

Figure 1: Example of the received phishing email

The source IP from the email headers is 210.131.4.99. Some phishing emails have originated from the IP address since 2019. (Figure 2). The IP belongs to NIFCLOUD, which is an email service provider based in Japan.

Figure 2: Phishing emails related to the IP address mentioned above (Source: VirusTotal)

The attacker used the names of employees as the senders to impersonate them in phishing emails. It appeared as if the employees had received emails from themselves, but the emails actually originated from the elef.co[.]jp domain.

The received phishing emails contained the following attachment names:

The source code of the landing page is obfuscated, where the first string within “eval” contains the code responsible for decrypting the second string (“encrypted data”), as shown in Figure 3.

Figure 3: Obfuscated source code

Here is the brief overview of how the decryption works:

Finally, we get the decrypted script, as shown in Figure 4.

Figure 4: Decrypted script

If the email address is assigned under the variable “plkermsdnjhteujqowdadfkcvadfafjasdask,” the phishing landing page will automatically parse the email in the login form when the user opens the HTML attachment.

From Figure 4, you can see an additional external JavaScript script that appears to be obfuscated.

Figure 5: Obfuscated external JavaScript

Upon de-obfuscating the script, we get the script responsible for parsing and sending the user’s entered credentials to the attacker’s server.

Figure 6 is the function to validate the entered email address; it first checks it against a regular expression that checks if the string entered by the user matches the standard format of an email address, then it sends it to the attacker’s server for verification.

If it returns “error’ status, the user gets the “We couldn't find an account with that username. Try another account” message.

Figure 6: Email verification

If the email verification succeeds, the user will be prompted to enter the password. As seen in Figure 7 below, “#prt2” shows the password input section.

Figure 7: Email verification succeeds

If the user enters correct credentials, the entered data is sent to the attacker’s server, and they get an MFA prompt (Figure 8). You can read how an attacker can bypass an MFA here.

Figure 8: MFA prompt

The snippet in Figure 9 shows how the code handles user verification through multiple methods (SMS, OTP, voice call, app notification), which is as part of a multi-factor authentication process.

Figure 9: User verification through authentication methods

In Figure 10, you can see the data sent to attacker’s server including token information, OTP code, user email address, and password.

Figure 10: Data transmitted after user's verification

It’s worth noting that the snippet of user verification (Figures 9-10) resembles the code used for verification in Tycoon Phishing kit (Figure 11).

Figure 11: The verification code employed by Tycoon and DadSec

After investigating further, we found over 3000 phishing landing pages using URLScan, as shown in Figure 12.

Figure 12: Search results from URLScan

What did we do?

The eSentire Threat Response Unit (TRU) blocked the attacker's Command and Control (C2) IP addresses. TRU also conducted threat hunting to assess the exposure and ensured that the users did not disclose any credentials.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire