Hackers Leverage Cloud Platforms to Spread Phishing Under the Radar

During April, amid the Covid-19 pandemic, Perception-Point wrote about a phishing campaign that impersonated the World Health Organization (WHO). Since I can’t help the world fight against the virus except by working and staying at home, I did what I could and analyzed the phishing pages in this attack which exploited the panic around the virus. The result was a new detection for Trustwave SWG (which is also part of Blended Threat Module for select Trustwave SEG customers). The detection was specifically crafted to target this kit using Trustwave’s SWG dynamic analysis feature. We immediately started to get hits on more phishing pages with very similar characteristics:

Figure 1: Example of a Phishing mail from the campaign

The phishing attack consists of few phases: The initial lure email that contains the first URL, the sole purpose of the first link is to redirect the user who clicked on the link to a second URL containing the phishing page itself. The redirector in most cases is obfuscated with variety of techniques to bypass static analysis engines. The Phishing page itself mostly resides on the same subdomain as the redirector, but we have seen instances when the redirector and the phishing page resided on different subdomains.

Perception-Point caught the phishing scheme for WHO, we observed a DHL Phishing scenario and many other generic email credentials harvesting schemes.

During the period of 06/05-09/06 we didn’t see any instance of those phishing pages, until they reappeared again in the last few days, like the second wave of Covid-19.

We observed the following URLs in the last few days:

Redirector ID #10 is the most interesting one, and we will use it as an example to showcase what is happening behind the scenes of these phishing attacks:

Figure 2: Traffic capture of the redirecting page

As can be seen in figure 2 – the redirector rotates between two subdomains, I am not overly familiar with IBM Cloud, but it’s possible that the attacker is leveraging some load balance functionality, or perhaps this is a simple server-side code which picks a subdomain to redirect the user to.

Figure 3: Redirector obfuscated code

The redirector contains some old school JavaScript obfuscation, using unescape and document.write. When decoded the following code is revealed:

Figure 4: Redirector de-obfuscated code

This code contains another old-school technique that uses window.location to redirect the browser to another URL. Let’s inspect the 2^nd URL that we are being redirected to from the obfuscated script:

Figure 5: First variant of redirected page

Figure 6: Second variant of redirected page

As can be seen in figures 5 & 6, the obfuscated script redirects to another redirector, this time no obfuscation at all on the redirector, and the redirection is done with the content refresh meta header. The URL in both is completely the same except the subdomain, they both return the same HTML code which is the following:

Figure 7: Final phishing page – a generic webmail login

What so unique in this phishing attack you might ask yourselves?

First, the attackers leverage the IBM cloud platform to spread their phishing schemes, this lets them have the good reputation that the “appddomain.cloud” domain has, as it belongs to IBM cloud. Simply blocking or blacklisting this domain will cause many interruptions for end-users as this will break functionality; The same would happen if someone would decide to block Amazon AWS because someone used it once for malicious activities. Speaking of Amazon, during the final editing of this blog post, we spotted the same kit/actor on Amazon S3 URL:

hxxps://windowshost404902.s3-ap-southeast-1.amazonaws.com/secure/app.html

Figure 8: Obfuscated Redirector on AWS S3

The Actor is redirecting from AWS S3 to IBM Cloud, unfortunately, the phishing page has been removed already from IBM Cloud. Using the IBM cloud platform also gives the attackers a free signed SSL certificate from IBM:

Figure 9: A wildcard certificate from IBM

All those techniques and obfuscations let those phishing pages fly under the radar of most traditional web content filtering products:

Figure 10: VirusTotal scan result for this attack

Interestingly, Yandex Safe browsing detects those URLs as malicious, while Google safe browsing did not, but after further inspection, it looks like Yandex went with the blacklist approach:

Figure 11: VirusTotal Scan result of made-up URL

But there is no malicious content behind this subdomain:

Figure 12: Blacklisting is bad approach, this URL has legitimate content

Thus, whoever uses Yandex Safe browsing might experience warnings when browsing to servers hosted on IBM Cloud platform, regardless of whether or not those sites are malicious. We reported all of these URLs and hostnames to IBM and Amazon to allow them to clean the activity taking advantage of their service.

Trustwave SWG customers and Trustwave SEG customers using BTM are protected against this threat.

Appendix A:

IOCs:

Note: we do not recommend blocking the IP addresses those subdomains resolve to.