cR0w@0xfeedc0fe@infosec.exchange GAYINT is working on it.
0xfeedc0fe@cR0w@infosec.exchange well, I have what I believe is a phishkit-as-a-service that doesn't seem to be tracked by any of the major vendors that could use some sort of "fuzzy bunny" name when I finally get around to writing about it.
cR0w@0xfeedc0fe@infosec.exchange Yes!! We can definitely do that. Also, if you want any help digging into it, let me know. There are plenty of nerds who like getting distracted from our dayjob tasks for things like that.
0xfeedc0fe@cR0w@infosec.exchange https://github.com/g0d33p3rsec/phishing/wiki/unknown-phishing-kit-cluster offers an overview but is a little out of date. I started tracking them after receiving a pair of lures to my community college student email from two separate compromised accounts within a week. The group seems to use compromised domains on shared hosts but always uses a common host for the images. You can search https://urlscan.io/search/#imagizer.imageshack.com* and look for URIs with base64 endpoints to quickly find their current host. It look like they're currently using bursaparkeustasi[.]com, they were at yoraraenergie[.]co[.]za before then. I'll try to enumerate the current lures as that one has been in use for some time. Looking at https://urlscan.io/result/01985c2d-231b-71f8-adda-6184531ad94d/#transactions shows the base64 decodes to path within the /imports directory that, from what I can tell, is used for individual campaigns. Additional evidence for it being a service can be seen in the POST data to event.php, for example: https://urlscan.io/responses/19c52c2d9fd17b70cb733a4077bac38e1a4706943850fbd83b831f2bd0eedd62/
The json includes fields for client and amount.
cR0w@0xfeedc0fe@infosec.exchange Do you want to take that to DM in case anyone is monitoring?
0xfeedc0fe@cR0w@infosec.exchange I'm not too worried about tipping them off at this point. I initially was keeping the indicators to trust communities but if they are monitoring, they're sloppy. I was actively adding their hosts to the Phishing Database project for more than a year, which feeds into VirusTotal, without noticing any major changes to their tactics. Using the Diamond Model and looking at the victims, which consistently target South African universities, leads me to suspect (with low confidence) that it is something similar to the Black Ax out of West Africa. My school has a decent number of Cameroonian students, including the accounts that initially caught my suspicion.
cR0w@0xfeedc0fe@infosec.exchange I'll pass it on but I'm already away from my workstation for the weekend.
0xfeedc0fe@cR0w@infosec.exchange no rush. I've been toying with them for 2 years now =D
cR0w@0xfeedc0fe@infosec.exchange Oh damn. The patient long game.
0xfeedc0fe@cR0w@infosec.exchange I used them as a practical exercise to find my way towards CTI & threat research. I had no clue what I was doing when I started and ended up with a VT crazy wall until I realized I could focus on the image host. These days, I'm more interested in finding malware to work with but still try to keep an eye on what this cluster is doing. Kind of tempted to try to package this for a CFP to show others that it's possible to have an impact even from outside of industry. Also, useful hack for getting around the 5 years of experience that many HR teams add to entry level job listings.
cR0w@0xfeedc0fe@infosec.exchange That's a nice way to sidestep that HR crap. Well done.
0xfeedc0fe@cR0w@infosec.exchange just a quick follow up with some recent samples. danmartin[.]ro was the previous host. https://github.com/Phishing-Database/phishing/pull/869 includes a list of urlscan results
catenacciovintage[.]com is the current host https://github.com/Phishing-Database/phishing/pull/878
it looks like they're primarily targeting South Africa at the moment but I wouldn't be surprised to see a shift to .edu domains in some of the lures over the coming weeks as the fall semester starts.
cR0w@0xfeedc0fe@infosec.exchange Nice. Worth keeping an eye on for sure.