This is the first in a series of technical articles from The Watch Commander’s Log. In them, we provide a direct view into the details of some of the threats Agio’s Managed Detection and Response (MDR) team handles for our clients—on an anonymized basis, of course. If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.

phishing meme

 

Agio received reports of a credentialed email harvesting site (hxxp:\\auhghana[.]com) targeting its customers. The MDR team gathered the phishing kit and broke down the components.

VirusTotal doesn’t flag this site as malicious because the api.php is customized to avoid detection. The graph provided by VirusTotal shows the attacker’s backend infrastructure and the associated files and sites related to this specific phishing email campaign.

security scan
network management

This is the Apache directory of the phishing site. Attackers leave these phishing kits open to the public to allow quick changes to landing pages and faster administration of attacks against potential victims. They’re clearly not security people because they’re using low-level tactics, and they aren’t worried about being blocked. They’re focused on having plenty of targets and being able to rotate phishing kits to make the most profit quickly.

network management

 

To gather the attacker’s scripts and information, we extracted the .zip file contents from a packet capture in Wireshark.

server

As you can see by the extracted files, there’s an OSX version and a Windows version, giving the attacker as wide a net as possible. We’ll walk through specific sections and the purpose of the individual php files below.

server
code
computer code

 

Login.php – Posts the output of the attack to an encoded JSON file and uses the MaxMind geolocation database to gather location information from the victim.

computer code

Pass.php – Passes the correct parameters to mimic an Office 365 login splash page, then parses the input to pass to the login.php script.

computer code

Geo.php – Allows the attacker to be selective about the display of the compromised website based on the longitude and latitude of the victim’s machine. This is used to avoid compromising users from the attacker’s host country or other targets that aren’t in scope.

computer code

Mail.php – Passes hardcoded email accounts to gather the encoded JSON output of the login.php script. This is how the data is exfiltrated to the attacker.

computer code

Api.php – A list of user agents, IP addresses, and words to avoid web crawlers and detection by open source security tools.

This is a classic example of a phishing campaign that can target any industry. Identification of patterns in these phishing attempts leads to better detection methods. Understanding the method and structure of a potential compromise allows a defender to gain the edge.

If you have questions about anything you read here, please feel free to reach out to us at mdrbriefings@agio.com. If you are a current Agio MDR client, you can also reach out to your assigned MDR analyst.

Learn More