TRAC Labs discovered “WikiKit,” a credential‑harvesting phishing kit active since October 2024 that uses Jimdo‑hosted landing pages mimicking targeted company branding to steal corporate credentials. The campaign leverages href.li and app.salesforceiq‑style redirects, Cloudflare Turnstile CAPTCHAs, JavaScript anti‑analysis/console tampering, and a C2 endpoint on yugaljeeautomotive[.]com to validate emails and capture credentials. #WikiKit #YugaljeeAutomotive
Keypoints
- WikiKit has been active since early October 2024 and targets multiple industries including automotive, manufacturing, medical, construction, consulting, and entertainment.
- Attackers host lookalike landing pages on Jimdosite that display targeted company logos and prompt users to “Review Document Here” to harvest credentials.
- Phishing emails use links that appear to originate from legitimate services (e.g., app.salesforceiq.com) to increase user trust and click‑through rates.
- The campaign employs href.li anonymizing redirects, Cloudflare Turnstile CAPTCHA checks, JavaScript redirection, and an outlook.office365 redirect as indicators of successful credential capture.
- Client‑side JavaScript includes anti‑analysis and anti‑debugging checks (regex checks, infinite‑loop constructor, console method overrides) to frustrate analysis and instrumentation.
- The credential validation and collection occur via a C2 endpoint (example: yugaljeeautomotive[.]com/z/pro/mentanance/auth/…/validate) which returns JSON indicating live status, branding flags, and MFA options.
MITRE Techniques
- [T1566.002] Spearphishing Link – The campaign uses phishing emails with links that appear to originate from legitimate services to increase user trust and click-through rates. [‘Phishing emails use links that appear to originate from legitimate services (e.g., app.salesforceiq.com) to increase user trust and click‑through rates.’]
- [T1036] Masquerading – The attackers host lookalike landing pages on Jimdosite that display targeted company logos and prompt users to “Review Document Here” to harvest credentials. [‘host lookalike landing pages on Jimdosite that display targeted company logos and prompt users to “Review Document Here” to harvest credentials.’]
- [T1071.001] Web Protocols – The credential validation and collection occur via a C2 endpoint (example: yugaljeeautomotive[.]com/z/pro/mentanance/auth/…/validate) which returns JSON indicating live status, branding flags, and MFA options. [‘The credential validation and collection occur via a C2 endpoint (example: yugaljeeautomotive[.]com/z/pro/mentanance/auth/…/validate) which returns JSON indicating live status, branding flags, and MFA options.’]
- [T1027] Obfuscated/Compressed Files and Information – Client‑side JavaScript includes anti‑analysis and anti‑debugging checks (regex checks, infinite‑loop constructor, console method overrides) to frustrate analysis and instrumentation. [‘Client‑side JavaScript includes anti‑analysis and anti‑debugging checks (regex checks, infinite‑loop constructor, console method overrides) to frustrate analysis and instrumentation.’]
- [T1497] Virtualization/Sandbox Evasion – Client‑side JavaScript includes anti‑analysis and anti‑debugging checks to frustrate analysis and instrumentation. [‘Client‑side JavaScript includes anti‑analysis and anti‑debugging checks (regex checks, infinite‑loop constructor, console method overrides) to frustrate analysis and instrumentation.’]
Indicators of Compromise
- [Domain] C2 and phishing host – yugaljeeautomotive[.]com (C2/validate endpoint), <victim‑lookalike>.jimdosite.com (phishing landing pages)
- [Impersonation/Service Domain] redirect/trust indicators – app.salesforceiq.com (used in phishing links to appear legitimate)
- [URL/Endpoint] credential validation and success redirect – hxxps://yugaljeeautomotive[.]com/z/pro/mentanance/auth/…/validate (email validation endpoint), outlook.office365.com/Encryption/ErrorPage.aspx?src=0&code=10&be=DM8PR09MB6088&fe=1 (redirect shown when credentials accepted)
- [Redirect service] anonymizing redirect examples – https://href.li/?https://en.wikipedia.org/wiki/Client_access_license (href.li used to mask Wikipedia redirect targets; several href.li→Wikipedia links observed)
Read more: https://trac-labs.com/wikikit-aitm-phishing-kit-where-links-tell-lies-abdea71ba094