This is a guest diary provided by Remco Verhoef.
A few months ago we had an investigation regarding an ongoing phishing attack. While researching the case we encountered the U-admin control panel, version 2.7 and we were able to collect the source code for the panel.
From all the control panels we’ve seen, this one looks quite fresh and professional, besides the English spelling errors, it contains user management, plugins, news, and localization. The panel uses a modernish stack, consisting of PHP, Bootstrap, Angular, and JQuery. The underlying database is SQLite3, which makes it easy to deploy on any (hacked) server.
When a phished user has entered confidential information, all data will be forwarded through the proxy script to the panel. The panel will show the information inside the logs section. The phisher-admin can add notes to the entry, multiple entries will be grouped to the same. It records the user-agent, remote address, entered fields and comments. The submission is being done by a URL encoded ajax call to log.php similar to the following:
When data has been received, the phishing administrator can choose to receive notifications via Jabber. It is configurable to receive notifications on data save or whenever a new bot registers.
The phisher-admin can ban certain bids, which will filter out the bids. This is probably being used to filter outdated campaigns or remove garbage entries.
Using the control panel it is possible to create a proxy script, which will be generated (eg the $real_home will be filled). All requests to the proxy script will be forwarded to the real u-admin panel. The proxy script can be placed on a third server, effectively frustrating ongoing investigations by hiding the panel.
Another interesting fact is that the panel contains a news section. This could be an indicator of this panel to be delivered in a more structural and professional way compared to others.
There are two databases, .ht_users.db, which is being used for the control panel users and .htBd.db which contains all log entries. Using the sqlite3 recovery tool "undark", I was able to recover previous username and password entries:
Recovering the log entries, skipping the obscenities, gave some interesting information about alternative usages of the panel. The panel has been used before by another phishing campaign, targeting Ethereum wallets by a cloned site of www.myetherwallet.com. More information can be found at https://www.reddit.com/r/CryptoCurrency/comments/7uzk0f/beware_myetherwallet_clone_found_also_running_a/) Other targets include “bitcoin-tips.com”, “bankofmontreal.com”, “Netflix”, “ING Direct”, “unicredit.it”, “sparkasse.de”, “PayPal” and the latest target “nab.com.au”. Besides those targets, there are many more.
One other interesting artifact that can be found in adm.php is a reference to the Codepen http://codepen.io/kaktys/pen/Zpgpqe.js. This Codepen contains specifics from the panel itself, which could indicate a relation between Kaktys and the control panel.
This leads me to the conclusion of this article. Looking at the professionality of the code, the layout and the functionality I’m giving this control panel 3 out of 5 stars. We wanted to give them 4 stars, but we gave one star less because of an SQL injection vulnerability.
Bonus screenshots:Intrusion Detection In-Depth - SANS Baltimore Spring 2020
Apr 11th 2018
1 year ago