ExRobotos: Old phishing kit resurfaces with new life

Summary: On Oct 27, the odix team detected a file-based phishing malware in an email attachment that was blocked by FileWall system. The blocked attachment redirected the user to a credential stealing website created to mimic the Microsoft login. If entered, the user credentials were sent to the attacker’s webserver without any sign of infiltration and as a direct result leaves the user’s data and privacy at significant risk.

Analysis:

Step 1: Multiple recipients received email messages with the subject: “Note to <recipient emaill> from a.innes@innessystems[.]com. The messages had an HTM attachment titled: “? <company name> AudioMessage_NNN-NN”. In the attachment was a URL encoded payload:

Decoding the escaped string returned the following code:

Step 2: A quick base64 encode showed that the last element of the URL is the email address the message was delivered to. The URL redirects to another URL: https://fanvironmental[.]club/sashi/audio/ZW1wbG95ZWVAY29udG9zby5jb20=

Which loads a Microsoft phishing website:

Step 3: Credentials are sent to the attackers’ server

Additional Information

Inspecting the code revealed the email address of the operator that bought the phishing kit license. Searching the web for the operator email address shows they had active campaigns that were detected in July and August this year.

Further investigating the fake Microsoft login page, we discovered the phishing kit performs a license validation call. From that link we were able to extract the source code of the phishing kit. The kit was made up from a few php files and contains a readme file explaining how to set it up. According to the readme “This scampage support 6 email grab types”.

We even found a Youtube video by the author with a step-by-step guide on how to purchase credits and set up the phishing kit. Additional investigation revealed two servers in Bulgaria that were used by the developer for testing.

As of the writing of these rows (October 27), the URLs used in this attack had only 4 detections in Virus Total.