O365 Phisher wants to know my location | Kit analysis

Let me tell you a short story about O365 phishing campaign that I came across interestingly was hosted on one of the TLD for Nepal🇳🇵 which apparently wants to know the location. hmm.

Since the phishing site is still active and contains credential dump within, I have decided not to disclose the domain involved due to white hat ethics.

Phishing Login Page targeting Office365 Users

Here is the first look of phishing page. Does not look authentic but it works. I’d like to point out few features of this page that made me wonder why this threat actors’ working so hard??

• Asks for location 🗺️,
• Does not allows to edit the credentials once typed ✍️,
• Session timeout 😪, for real?

My first approach was to check the URL to @urlscan.io. There, the scanner had registered 417 similar hits marked as Malicious Activity. I noticed the HTML file with same name in almost all URL.

Results from URLScan.io

There must be an #opendir with a zip (kit) due to misconfig or lets say, that most armature phish actor keeps for idk may for ‘various reasons’ , and… ¡¡ Voila !! There it is,

“𝘈 𝘧𝘳𝘦𝘴𝘩 .𝘻𝘪𝘱 𝘧𝘪𝘭𝘦 𝘪𝘯 𝘢 𝘱𝘩𝘪𝘴𝘩𝘪𝘯𝘨 𝘥𝘪𝘳𝘦𝘤𝘵𝘰𝘳𝘺”

Open Directory with existing phishing kit

After the ultimate .zip, tsb1.txt contains all the harvested credentials, office365 email, user id, password and their IP address appended from each entry of this phishing victims and sends the info to phisher email:

📮 “Richardsmith292929@yandex.com”
📮 “Richardsmith292929@gmail.com”

Snippet of post.php and tsb1.txt

The phisher to this phishing campaign, so called “Richard Smith”s email addresses were found in another phishing kit repository managed by ActorExposed GitHub. Both targets Office365 users with quite different theme.

ActorExpose/kit

Defaced site in other path in phishing site

Moreover, one of the site used for this phishing campaign was defaced by infamous actor “Iman”. This concludes, most of the phishing sites are hosted on compromised domain.

Jake’s Reply with wonderful suggestion

For further kit analysis, @JCyberSec_ suggested me a search query in @urlscan.io to investigate the kit. Even though the source codes for the phishing page differs, the kit drops a .txt (tsb1.txt) file in the server with credential dump.

To some extent, google hacking/dorking might help with gathering open directory with text file.

Google Dorking Syntax

Note: The event has been reported to NPCERT (although they seem quite inactive at the moment or always has been)and the following phishing kit is uploaded to Kit Repo.

PS. I’d like to shout-out @BushidoToken and @JCyberSec_, whom I look after for their threat hunting research. Thanks guys.. :D