Disclaimer

This blog post, as all the blog posts in my web-corner, want to share cybersecurity related researches and personal experiences in order to improve threats analysis, risks and cybersecurity awareness. In this specific cases junior cybersecurity analysts could improve their skills for free by understanding how to build threat intelligence and how to track possible threat actors.

Introduction

Nowadays phishing kits play a relevant role in the cybersecurity panorama. They become more and more sophisticated being able to run several controls such as: language filtering, source IP address specializations, multi-layer fraud and multiple threats delivery. At the very beginning simple credentials were stolen while modern phishing-kits are able to inoculate Malware through browser vulnerabilities or to drop malicious apk or even specific malicous software like RAT.

Today I decided to focus on a “random” phishing page that landed on my personal email address. It was fun to analyze how the threat actor did his “job” and how he implemented his software. I’d like to share my journey with you in order to see a possible research flow, hoping to inspire more security researchers to spot and block malicious websites and credit card skimmers.

Malicious website

Suddenly I landed on: bancacaixa. com. A classic phishing banking page, as you have probably seen thousands of them in your career if you work on this space, was facing me. But in this specif case the phishing had a sub-folder called mobile which took my attention. If you redirect your victim to a sub-folder, you would probably get poor attention to the root directory, since you still are in the initial configuration phase where you are going to decompress the phishing-kit into a sub-folder before deleting it.

Getting to one level up and looking for common subfolders, I was able to spot the original .zip file, which was public available in a specific sub-folder (/src dir listing active) as shown in the following image. The original .zip file is usually the phishing-kit container, which delivers phishing-kit implementation to a new domain. By downloading it from the public listing directory and opening it, I was right, it was the phishing-kit source code! Now we can do a lot of analyses with it.

The malicious code

Having the source code is a piece of cake ! You might decide to check every single source line or you might decide to go straight to what you think is interesting most. I did in this last way by checking where the phishing kit saves logs or data and where (and how) it ships data-out to threat actor. The phishing-kit implements several controls to avoid actions over undesired countries, it does it by checking IP source address on a well-known online service and by checking languages. The phishing-kit also implement dual fraud layer by asking you for your credit card and waiting for your SMS confirmation code. Both of these information will be saved into a log file that happens to be public available (you just need to known the right saving path) as well. The following picture shows the logs structure.

Following the code analysis, it was interesting to see that threat actor send grabbed information through telegram technologies to one channel…. wait, no… to two channels ! Super interesting (and in some way, funny) to figure out the phishing-kit builder cheated his affiliate asking for price to give the “PhishingKit” and “under the hood” he would ship to a parallel telegram channel the stolen information from affiliate. A kind of double extortion approach to phishing-kits, very interesting… never trust your criminal !

The user variable is assigned to the chat_id field before performing the request_url to telegram API. And as you might check from the previous image, two values were used.

The Command and Control

Following the analysis on the source code, it was clear we had the telegram token and chat_ids ! Would we be able to grab some additional threat information from them ? Off course we can ! So let’s try to check who is the owner of the token keys by running a simple curl https://api.telegram.org/<omissis>/getMe the result would be the following one:

{
"ok":true,

"result":{
             "id":<omissis>,
             "is_bot":true,
             "first_name":"caixsabot",
             "username":"caixadesbot",
             "can_join_groups":true,
             "can_read_all_group_messages":false,
              "supports_inline_queries":false
          }
}

So the owner of that token is a chatbot, which can actually join groups. Now let’s check a little bit more about the channel implementing the command and control. By using the telegram plain API getChat we obtained additional information on the side channel. Here the resultts

{
"ok":true,
"result":{
             "id":-<omissis>,
             "title":"correos",
             "type":"group",
             "permissions":{
                              "can_send_messages":true,
                              "can_send_media_messages":true,
                              "can_send_polls":true,
                              "can_send_other_messages":true,
                              "can_add_web_page_previews":true,
                              "can_change_info":true,
                              "can_invite_users":true,
                              "can_pin_messages":true
                            },
             "all_members_are_administrators":true
          }
} 

It’s interesting to see that the communication channel “title” is the same name of the “target” company, in other words, the threat actor built a page to pretend to be correos and the command and control channel as the exact matching string implementing the victim name. I feel to be in the right path :D. Now, by using the telegram API getChatAdministrators and providing the chat_id (public available in the source code) I’ve got the following answer.

{
"ok":true,
"result":[
            {
               "user":{   
                         "id":<omissis>,
                         "is_bot":false,
                         "first_name":"i<omissis>PUNISHER.php",
                         "username":"odin_<imissis>",
                         "language_code":"fr"
                       },
               "status":"creator",
               "is_anonymous":false
            }
          ]
} 

Telegram says the chat administrator is only one. He is not a “bot” and he is the creator ! BTW he is a French language speaker. Now we might use the telegram API getUserProfilePhotos or simply search on telegram for the username and here we go we’ve got his public profile picture (obfuscated).

Conclusions

Cyber attackers are humans. Humans make mistakes or let behind actions details that could be used to trace them. Many attackers are more sophisticated compared to others and so you need more time (even years) to catch them, but if you collect evidences and you share them to the community, someone eventually will be able to identify them. Sharing is caring and collecting evidences would help a lot to secure digital space.

Before publishing this post threat as been communicated and the website should be locked down.