TRAC Labs documents a phishing campaign named “Gabagool” that compromises email accounts to send messages containing shortened links or RTF attachments which redirect victims to credential-harvesting pages hosted on Cloudflare R2 buckets. The phishing pages use obfuscated JavaScript to detect bots/sandboxes and, when a real user is confirmed, load forms that POST harvested credentials to an AES-encrypted server (o365.alnassers.net). #Gabagool #CloudflareR2
Keypoints
- Attackers compromise employee mailboxes and use those accounts to send phishing emails containing images with embedded shortened links or RTF attachments (QR-code schemes).
- Phishing landing pages and content are hosted in Cloudflare R2 buckets using URLs formatted like pub-{32 hex}.r2.dev/{html_filename}.html, leveraging Cloudflare’s reputation to evade detection.
- The landing-page JavaScript is obfuscated and implements a detectBots routine (webdriver, mouse movement, cookie test, rapid interaction) to evade analysis and sandboxing.
- If bot checks pass, the page injects styles/iframes and loads a credential-harvesting page that captures email and password fields and sends them via POST requests to an AES-encrypted backend.
- Captured credentials and session flows use a campaign PSK identifier (e.g., Z2AzDtkQgaE…) and interact with a server identified as o365.alnassers.net; responses include JWT tokens and MFA method data.
- The phishing flow validates that provided emails belong to organizational domains (rejects consumer domains like outlook.com/hotmail.com) and supports MFA interception workflows (PhoneAppNotification, PhoneAppOTP, SMS, voice).
- Detection guidance: hunt for unusual R2 bucket URLs, traffic to o365.alnassers.net, related hashes, and use public URLScan/GitHub IOC resources provided by TRAC Labs.
MITRE Techniques
- [T1566.002] Spearphishing Link – Phishing delivered via shortened links embedded in images and redirect chains (‘Embedded within the image is a malicious URL-shortened link leveraging tiny.cc and tiny.pl that contain a redirect chain.’)
- [T1566.001] Spearphishing Attachment – Use of RTF attachments and document-like images to trick users into opening malicious links (‘For the QR-code schemes, the threat actor would attach a document to the email, for example an RTF document.’)
- [T1078] Valid Accounts – Initial access and distribution via compromised mailboxes used to send phishing to other employees (‘The threat actor would initially compromise the user’s mailbox and begin sending phishing emails to other employees.’)
- [T1027] Obfuscated Files or Information – JavaScript on the landing pages is obfuscated to hinder analysis (‘At the end of the source code, we see the obfuscated blob of the JavaScript code.’)
- [T1497.001] Virtualization/Sandbox Evasion (System Checks) – Script performs checks for automation and sandbox indicators (navigator.webdriver, mouse movement, cookie availability, rapid interactions) and redirects bots elsewhere (‘The function detects signs of bot activity with following checks: Webdriver Check… Mouse Movement Detection… Cookie Test… Rapid Interaction Detection.’)
- [T1041] Exfiltration Over C2 Channel (Web/HTTP) – Harvested credentials and session data are sent via POST requests to the attacker-controlled server (AES-encrypted payloads sent to o365.alnassers.net) (‘Another POST request after the user enters the email and credentials would have the following format…’).
Indicators of Compromise
- [Domain] C2 / phishing backend – o365.alnassers.net, cuippored.top
- [URL pattern] Cloudflare R2 hosting pattern – pub-{32 hexadecimal characters}.r2.dev/{html_filename}.html (used to host phishing landing pages)
- [Shortened services / redirect] Redirect/obfuscation services seen in email links – tiny.cc, tiny.pl
- [Landing page paths] example phishing paths – cuippored.top/fine/# (other variants include /200, /300, /400, /500, /ppp, /ooo)
- [Hash] Detection hunt sample – 8c905c71ef88bdd72707dab7b5c2adfdd148190f74b7284b7f7745bea500a92e (referenced in URLScan query)
- [Campaign identifier / token] PSK / unique campaign string – Z2AzDtkQgaEKJWdOV0SCDDSHsCn91fyMiObH65OnsoadZmRdds0rzqsOhYC/7tK5SQBluO+DxtRYLp7uD0LeZg==