During April, amid the Covid-19 pandemic, Perception-Point wrote about a phishing campaign that impersonated the World Health Organization (WHO). Since I can’t help the world fight against the virus except by working and staying at home, I did what I could and analyzed the phishing pages in this attack which exploited the panic around the virus. The result was a new detection for Trustwave SWG (which is also part of Blended Threat Module for select Trustwave SEG customers). The detection was specifically crafted to target this kit using Trustwave’s SWG dynamic analysis feature. We immediately started to get hits on more phishing pages with very similar characteristics:
ID |
Date |
URL |
Type |
1 |
25/04 |
6645.us-south.cf.appdomain.cloud |
DHL Phishing |
2 |
28/04 |
67i.us-south.cf.appdomain.cloud |
Redirector To Phishing |
3 |
01/05 |
r0g.us-south.cf.appdomain.cloud |
Obfuscated Redirector |
4 |
01/05 |
409k.us-south.cf.appdomain.cloud |
Redirector to ID #1 (DHL) |
5 |
04/05 |
w30.us-south.cf.appdomain.cloud |
Obfuscated Redirector |
6 |
05/05 |
039w.us-south.cf.appdomain.cloud |
Redirector to trxpres.us-south.cf.appdomain.cloud |
Figure 1: Example of a Phishing mail from the campaign
The phishing attack consists of few phases: The initial lure email that contains the first URL, the sole purpose of the first link is to redirect the user who clicked on the link to a second URL containing the phishing page itself. The redirector in most cases is obfuscated with variety of techniques to bypass static analysis engines. The Phishing page itself mostly resides on the same subdomain as the redirector, but we have seen instances when the redirector and the phishing page resided on different subdomains.
Perception-Point caught the phishing scheme for WHO, we observed a DHL Phishing scenario and many other generic email credentials harvesting schemes.
During the period of 06/05-09/06 we didn’t see any instance of those phishing pages, until they reappeared again in the last few days, like the second wave of Covid-19.
We observed the following URLs in the last few days:
ID |
Date |
URL |
Type |
7 |
10/06 |
aa01011998.us-south.cf.appdomain.cloud |
OWA (Outlook) Phishing |
8 |
10/06 |
54009w.us-south.cf.appdomain.cloud |
Roundcube Mail Phishing |
9 |
11/06 |
s4v01011998.us-south.cf.appdomain.cloud |
N/A (URL Was Taken Down) |
10 |
11/06 |
es01011998.us-south.cf.appdomain.cloud |
Redirector to ID #11 & #12 (Generic) |
11 |
11/06 |
ny01011999.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
12 |
11/06 |
cm01011986.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
13 |
12/06 |
nz01012003.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
14 |
13/06 |
59038922k.us-south.cf.appdomain.cloud |
Redirector to ID #15 & #16 (EMS) |
15 |
13/06 |
ds49.us-south.cf.appdomain.cloud |
EMS Phishing |
16 |
13/06 |
rk940.us-south.cf.appdomain.cloud |
EMS Phishing |
17 |
13/06 |
darcy20192020.eu-gb.cf.appdomain.cloud |
Generic Web Mail Phishing |
18 |
16/06 |
3094g3.us-south.cf.appdomain.cloud |
Redirector to ID #19 & #20 (Generic) |
19 |
16/06 |
278302p.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
20 |
16/06 |
7482y3740.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
21 |
17/06 |
fg675.us-south.cf.appdomain.cloud |
Redirector to ID #22 & #23 (OWA) |
22 |
17/06 |
3320p9.us-south.cf.appdomain.cloud |
OWA (Outlook) Phishing |
23 |
17/06 |
202-2s.us-south.cf.appdomain.cloud |
OWA (Outlook) Phishing |
24 |
17/06 |
75568tg.us-south.cf.appdomain.cloud |
Redirector to ID #25 & #26 (DHL) |
25 |
17/06 |
876j.us-south.cf.appdomain.cloud |
DHL Phishing |
26 |
17/06 |
ki97890.us-south.cf.appdomain.cloud |
DHL Phishing |
27 |
17/06 |
849.us-south.cf.appdomain.cloud |
Redirector to ID #28 & #29 (Generic) |
28 |
17/06 |
0931.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing (2nd Variant) |
29 |
17/06 |
t4032.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing (2nd Variant) |
30 |
17/06 |
nd901.us-south.cf.appdomain.cloud |
OWA (Outlook) Phishing |
31 |
17/06 |
7482y3740.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
32 |
17/06 |
si309222.us-south.cf.appdomain.cloud |
Redirector |
Redirector ID #10 is the most interesting one, and we will use it as an example to showcase what is happening behind the scenes of these phishing attacks:
Figure 2: Traffic capture of the redirecting page
As can be seen in figure 2 – the redirector rotates between two subdomains, I am not overly familiar with IBM Cloud, but it’s possible that the attacker is leveraging some load balance functionality, or perhaps this is a simple server-side code which picks a subdomain to redirect the user to.
Figure 3: Redirector obfuscated code
The redirector contains some old school JavaScript obfuscation, using unescape and document.write. When decoded the following code is revealed:
Figure 4: Redirector de-obfuscated code
This code contains another old-school technique that uses window.location to redirect the browser to another URL. Let’s inspect the 2nd URL that we are being redirected to from the obfuscated script:
Figure 5: First variant of redirected page
Figure 6: Second variant of redirected page
As can be seen in figures 5 & 6, the obfuscated script redirects to another redirector, this time no obfuscation at all on the redirector, and the redirection is done with the content refresh meta header. The URL in both is completely the same except the subdomain, they both return the same HTML code which is the following:
Figure 7: Final phishing page – a generic webmail login
What so unique in this phishing attack you might ask yourselves?
First, the attackers leverage the IBM cloud platform to spread their phishing schemes, this lets them have the good reputation that the “appddomain.cloud” domain has, as it belongs to IBM cloud. Simply blocking or blacklisting this domain will cause many interruptions for end-users as this will break functionality; The same would happen if someone would decide to block Amazon AWS because someone used it once for malicious activities. Speaking of Amazon, during the final editing of this blog post, we spotted the same kit/actor on Amazon S3 URL:
hxxps://windowshost404902.s3-ap-southeast-1.amazonaws.com/secure/app.html
Figure 8: Obfuscated Redirector on AWS S3
The Actor is redirecting from AWS S3 to IBM Cloud, unfortunately, the phishing page has been removed already from IBM Cloud. Using the IBM cloud platform also gives the attackers a free signed SSL certificate from IBM:
Figure 9: A wildcard certificate from IBM
All those techniques and obfuscations let those phishing pages fly under the radar of most traditional web content filtering products:
Figure 10: VirusTotal scan result for this attack
Interestingly, Yandex Safe browsing detects those URLs as malicious, while Google safe browsing did not, but after further inspection, it looks like Yandex went with the blacklist approach:
Figure 11: VirusTotal Scan result of made-up URL
But there is no malicious content behind this subdomain:
Figure 12: Blacklisting is bad approach, this URL has legitimate content
Thus, whoever uses Yandex Safe browsing might experience warnings when browsing to servers hosted on IBM Cloud platform, regardless of whether or not those sites are malicious. We reported all of these URLs and hostnames to IBM and Amazon to allow them to clean the activity taking advantage of their service.
Trustwave SWG customers and Trustwave SEG customers using BTM are protected against this threat.
Appendix A:
IOCs:
URL |
Type |
Md5 Hash of HTML file |
trxpres.us-south.cf.appdomain.cloud |
Unknown Phishing Page |
N/A |
6645.us-south.cf.appdomain.cloud |
DHL Phishing |
N/A |
67i.us-south.cf.appdomain.cloud |
Redirector |
e2f894c91f00b996dfaec9b9ef38730e |
r0g.us-south.cf.appdomain.cloud |
Redirector |
36c60c159bddb1c31fa7acfe4708abfc |
409k.us-south.cf.appdomain.cloud |
Redirector |
18312a8aa01501b15d8b4928c97ce989 |
039w.us-south.cf.appdomain.cloud |
Redirector |
bc54eb501f4e945859ae7d37fc85c0e9 |
w30.us-south.cf.appdomain.cloud |
Redirector |
a815e3930ef3c9bd90b0b531bddcce46 |
aa01011998.us-south.cf.appdomain.cloud |
OWA Phishing |
6b329b5264ca88ee4f8e0ad9157ff273 |
nd901.us-south.cf.appdomain.cloud |
OWA Phishing |
6b329b5264ca88ee4f8e0ad9157ff273 |
54009w.us-south.cf.appdomain.cloud |
Rounduce Mail Phishing |
9abbe9f68b80b1038e0b5dce44577d87 |
s4v01011998.us-south.cf.appdomain.cloud |
N/A |
N/A |
es01011998.us-south.cf.appdomain.cloud |
Redirector |
0be30b49afeb96c7e03a606aa9dc63e8 |
ny01011999.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
b41f8fc6b2f6add8d0eb2787e03f89ec |
cm01011986.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
b41f8fc6b2f6add8d0eb2787e03f89ec |
nz01012003.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
df71d90e0af4d4c29aa978574d78d368 |
59038922k.us-south.cf.appdomain.cloud |
Redirector |
8d38a519f79c1af17b1aad10cbc78d55 |
ds49.us-south.cf.appdomain.cloud |
EMS Phishing |
4c7fc9eef965947dc5ed9373f5b53d66 |
rk940.us-south.cf.appdomain.cloud |
EMS Phishing |
4c7fc9eef965947dc5ed9373f5b53d66 |
darcy20192020.eu-gb.cf.appdomain.cloud |
Generic Web Mail Phishing |
175062a8b5731ff773a859026b4ba325 |
3094g3.us-south.cf.appdomain.cloud |
Redirector |
118c708819ab9853a0efab718ec92c83 |
278302p.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
5d85f6b30a9422f0c0877a25ce55a820 |
7482y3740.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing |
5d85f6b30a9422f0c0877a25ce55a820 |
windowshost404902.s3-ap-southeast-1.amazonaws.com/secure/app.html |
Redirector |
458ac4a8acaea55f72deac2c52ed0f18 |
vfxtownhost3092.eu-gb.cf.appdomain.cloud |
Unknown Phishing Page |
N/A |
fg675.us-south.cf.appdomain.cloud |
Redirector |
b373ca3b552b4b0ffb75478be9732fd9 |
3320p9.us-south.cf.appdomain.cloud |
OWA Phishing |
ccf40c8102b86218cd2fa8309fc921d2 |
202-2s.us-south.cf.appdomain.cloud |
OWA Phishing |
ccf40c8102b86218cd2fa8309fc921d2 |
75568tg.us-south.cf.appdomain.cloud |
Redirector |
5c5f3b9a121d974f4f6e19a3bf7abba5 |
876j.us-south.cf.appdomain.cloud |
DHL Phishing |
ca7ef15a437b65c7484721670b765bac |
ki97890.us-south.cf.appdomain.cloud |
DHL Phishing |
ca7ef15a437b65c7484721670b765bac |
849.us-south.cf.appdomain.cloud |
Redirector |
a2e0d9e988015e4cf5bd7696fc358ed4 |
0931.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing (2) |
fae9ff614bb67d5eac6c747ba8f59773 |
t4032.us-south.cf.appdomain.cloud |
Generic Web Mail Phishing (2) |
fae9ff614bb67d5eac6c747ba8f59773 |
si309222.us-south.cf.appdomain.cloud |
Redirector |
7428e20dd4c8ae62d5a3e35a3fe8abef |
Note: we do not recommend blocking the IP addresses those subdomains resolve to.