eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In early February, our Incident Handling team responded to a phishing campaign targeting users in the retail industry. In one instance, a compromised account was leveraged to distribute voicemail themed phishing emails. For example, “XXXXXX left you a Voicemail at 07:30 am,” where the Xs represent a redacted phone number with the area code. The email contains the link to the custom collaboration form created on allo[.]io. (Figure 1).
Figure 1: The phishing link
The form contains the link to a fake Microsoft login page, but the user is first routed through a CloudFlare Turnstile
prompt (Figure 2) before accessing the phishing page. Security tools often look for abnormal behaviors or patterns to detect bots and malicious activities. Using Turnstile not only instills a sense of legitimacy in the phishing site for potential victims but also conceals the genuine phishing page from the detection efforts of automated security scanners.
Figure 2: Cloudflare Turnstile PromptFigure 3: Fake Microsoft sign-in page
The source code of the phishing page contains an obfuscated code using simple XOR algorithm. Upon decoding, we can see that the page points to the JavaScript file that gets loaded at 13j7q.umhhs0.com/u352/myscr451443[.]js (Figure 4).
Figure 4: Source code of phishing page
Upon deobfuscating myscr451443[.]js, we see that it’s responsible for holding the user's access to the main content (fake Microsoft sign-in page) while performing necessary security validations via CloudFlare Turnstile.
Figure 5: Deobfuscated myscr451443[.]js showing the snippet of CloudFlare Turnstile code
Further investigating the source code, we can see that the phishing landing page source code is stored under /web6/assets/js/pages.min.js?cb=36
path. The code attempts to fetch the user’s IP address by making the request to httpbin[.]org/ip and sends it over to the server via the POST request to <phishing_domain>/web6/info along with the browser name (derived from user-agent) and the pagelink value, in our example it’s “6x96”.
Figure 6: Snippet of the code responsible for retrieving the public IP of the hostFigure 7: POST request with IP and user-agent
The code filters out certain domains to prevent sign-ins from personal emails, which hints that the phishing campaign targets corporate users. If one of the domains in the list is entered, the user will get a message “We couldn't find an account with that username. Try another, or get a new Microsoft account”.
Figure 8: Domains that are filtered out
During the analysis of the network traffic, we observed a communication request directed to the domain ailinux[.]ru. This was subsequently identified and confirmed as an interface to the TycoonGroup control panel (Figures 9-10). TycoonGroup is marketed as a phishing-as-a-service platform and is actively being sold on the Telegram platform.
Figure 9: TycoonGroup control panelFigure 10: Screenshot from TycoonGroup on Telegram displaying the control panel domain
TycoonGroup boasts a user base of over 2,000. The phishing kits they offer are equipped with a range of features, such as a QR code phishing service, a private antibot system, the ability to bypass two-factor authentication, and the capability to retrieve cookies that remain valid for up to one year, among others (Figure 11).
Figure 11: TycoonGroup advertisement on Telegram channel
Performing the search via URLscan on the “web6/assets” we found over 1000 scan results related to the phishing kit (Figure 12).
Figure 12: URLScan results
What can you learn from this TRU Positive?
Phishing campaigns are often strategically timed to coincide with periods of high activity and urgency, such as tax season in various industries. This increases their chances of success as organizations and individuals engage more with relevant communications and may lower their guard against suspicious emails.
Techniques like HTML Smuggling are utilized to bypass traditional security measures. By embedding malicious payloads within HTML attachments, attackers can evade detection by signature-based or traditional malicious pattern identification systems, highlighting the importance of adopting multi-layered security approaches that include behavior analysis.
The use of custom collaboration forms and fake login pages, along with mechanisms like CloudFlare Turnstile, showcases the techniques employed by attackers to lend legitimacy to phishing sites and evade detection by security tools.
The involvement of platforms like TycoonGroup, which offer phishing-as-a-service, indicates the commercialization and sophistication of phishing operations. These platforms provide a range of features designed to bypass security measures, including two-factor authentication, and highlight the need to continuously adapt security strategies.
What did we do?
Our team of 24/7 Cyber SOC Analysts and Incident Handling Team investigated the suspicious activities, notified the clients, and recommended resetting the passwords and revoking the sessions.
Recommendations from our Threat Response Unit (TRU) Team:
Conduct Phishing and Security Awareness Training (PSAT) on a regular basis with your employees and place a special emphasis on spotting business email compromise (BEC) attacks. Warn users about the threat posed by .html attached or hyperlinked in emails.
Utilize email security solutions that go beyond traditional signature-based detection. Look for solutions incorporating machine learning and behavior analysis to identify and block sophisticated phishing attempts and HTML smuggling.
Keep all systems, software, and applications updated with the latest patches. Attackers can exploit vulnerabilities in outdated software to bypass security measures.
Enable 2FA on all accounts to add an extra layer of security, making it more difficult for attackers to gain unauthorized access even if they manage to obtain login credentials.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
