This article details a comprehensive investigation into a phishing campaign that compromised a client account and deployed fake Microsoft login pages to harvest credentials. It covers the attack chain, phishing site analysis, deobfuscation of malicious scripts, IOCs, and recommendations to improve defenses.
#GreatnessPhishkit #REYTOROGROUP #WayBackMachine
#GreatnessPhishkit #REYTOROGROUP #WayBackMachine
Keypoints
- Approximately 72 phishing domains were used to deceive targets with believable websites.
- The attack chain comprised four main stages: account compromise, phishing email from the breached client, credential theft via a fake site, and distribution of phishing emails to contacts.
- A phishing website impersonated a Microsoft login page and used a valid certificate and legitimate appearance to appear trustworthy.
- Two-factor authentication did not protect against this proxy-style phishing; credentials were entered on attacker servers for remote authentication.
- Extensive technical analysis revealed obfuscated JavaScript, fingerprinting to gather system data, and WebSocket-based C2 communications.
- The phishing kit shows links to the “Greatness infrastructure” and suggests ongoing activity with updated lures and domains.
MITRE Techniques
- [T1566.001] Spearphishing Link – The attacker used a phishing email with a link to a fake login page to capture credentials. “The attacker posing as our client asks our employee to listen to a voice message, whose transcript is unavailable. The link to the recording is provided at the top of the email.”
- [T1556.003] Credential in Web Form – The user enters their login and password on a fake page, and “the second mistake – completing the two-factor authentication by entering the secret code from the authenticator app” as credentials are sent to the attacker’s server.
- [T1082] System Information Discovery – The fingerprinting script “gathers information about the user’s environment, including screen properties, window properties, navigator properties, location, console, document attributes, timezone offset, WebGL information, and more.”
- [T1027] Obfuscated/Compressed Files and Information – The phishing script is described as “obfuscated,” and the analysis shows deobfuscation steps leading to clean code; “The script … is obfuscated, but after applying the deobfuscation services … we get absolutely clean and ready-to-analyze code.”
- [T1071.001] Web Protocols / WebSocket – The campaign uses a WebSocket-based channel for communication; “The second part of the script can be ‘fed’ to ChatGPT, which will explain that the script ‘jsnom.js’ is embedded and executed in the page,” and later references to loading the socket.io library for WebSocket-like communication.
- [T1041] Exfiltration Over C2 Channel – Credentials and data are transmitted to the attacker’s server via POST requests during the phishing flow; “the user credentials are sent to the attacker’s server, where the actual authentication takes place.”
Indicators of Compromise
- [Domain] phishing landing domains – reytorogroup[.]com, batimnmlp[.]click, and 70+ other domains (72 phishing domains reported in Appendix 2)
- [Domain] legitimate-looking infrastructure domains – aadcdn[.]msftauth[.]net, cdn[.]socket[.]io, 2moniunesson[.]com
- [URL] phishing redirect links – hxxps://www[.]reytorogroup[.]com/r/?… and hxxps://batimnmlp[.]click/m/?cmFuGWGFUSlNkVFJ0ZWc9PQ==N0123N[EMail]
- [WebSocket] C2 channel endpoints – 2moniunesson[.]com and other WebSocket servers listed in Appendix 2
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/analysis-of-the-phishing-campaign/