SpiderLabs Blog

Hackers Leverage Cloud Platforms to Spread Phishing Under the Radar | Trustwave

Written by Simon Kenin | Jul 3, 2020 5:00:00 AM

During April, amid the Covid-19 pandemic, Perception-Point wrote about a phishing campaign that impersonated the World Health Organization (WHO). Since I can’t help the world fight against the virus except by working and staying at home, I did what I could and analyzed the phishing pages in this attack which exploited the panic around the virus. The result was a new detection for Trustwave SWG (which is also part of Blended Threat Module for select Trustwave SEG customers). The detection was specifically crafted to target this kit using Trustwave’s SWG dynamic analysis feature. We immediately started to get hits on more phishing pages with very similar characteristics:

ID

Date

URL

Type

1

25/04

6645.us-south.cf.appdomain.cloud

DHL Phishing

2

28/04

67i.us-south.cf.appdomain.cloud

Redirector To Phishing

3

01/05

r0g.us-south.cf.appdomain.cloud

Obfuscated Redirector

4

01/05

409k.us-south.cf.appdomain.cloud

Redirector to ID #1 (DHL)

5

04/05

w30.us-south.cf.appdomain.cloud

Obfuscated Redirector

6

05/05

039w.us-south.cf.appdomain.cloud

Redirector to trxpres.us-south.cf.appdomain.cloud

 

Figure 1: Example of a Phishing mail from the campaign

 

The phishing attack consists of few phases: The initial lure email that contains the first URL, the sole purpose of the first link is to redirect the user who clicked on the link to a second URL containing the phishing page itself. The redirector in most cases is obfuscated with variety of techniques to bypass static analysis engines. The Phishing page itself mostly resides on the same subdomain as the redirector, but we have seen instances when the redirector and the phishing page resided on different subdomains.

Perception-Point caught the phishing scheme for WHO, we observed a DHL Phishing scenario and many other generic email credentials harvesting schemes.

During the period of 06/05-09/06 we didn’t see any instance of those phishing pages, until they reappeared again in the last few days, like the second wave of Covid-19.

We observed the following URLs in the last few days:

ID

Date

URL

Type

7

10/06

aa01011998.us-south.cf.appdomain.cloud

OWA (Outlook) Phishing

8

10/06

54009w.us-south.cf.appdomain.cloud

Roundcube Mail Phishing

9

11/06

s4v01011998.us-south.cf.appdomain.cloud

N/A (URL Was Taken Down)

10

11/06

es01011998.us-south.cf.appdomain.cloud

Redirector to ID #11 & #12 (Generic)

11

11/06

ny01011999.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

12

11/06

cm01011986.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

13

12/06

nz01012003.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

14

13/06

59038922k.us-south.cf.appdomain.cloud

Redirector to ID #15 & #16 (EMS)

15

13/06

ds49.us-south.cf.appdomain.cloud

EMS Phishing

16

13/06

rk940.us-south.cf.appdomain.cloud

EMS Phishing

17

13/06

darcy20192020.eu-gb.cf.appdomain.cloud

Generic Web Mail Phishing

18

16/06

3094g3.us-south.cf.appdomain.cloud

Redirector to ID #19 & #20 (Generic)

19

16/06

278302p.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

20

16/06

7482y3740.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

21

17/06

fg675.us-south.cf.appdomain.cloud

Redirector to ID #22 & #23 (OWA)

22

17/06

3320p9.us-south.cf.appdomain.cloud

OWA (Outlook) Phishing

23

17/06

202-2s.us-south.cf.appdomain.cloud

OWA (Outlook) Phishing

24

17/06

75568tg.us-south.cf.appdomain.cloud

Redirector to ID #25 & #26 (DHL)

25

17/06

876j.us-south.cf.appdomain.cloud

DHL Phishing

26

17/06

ki97890.us-south.cf.appdomain.cloud

DHL Phishing

27

17/06

849.us-south.cf.appdomain.cloud

Redirector to ID #28 & #29 (Generic)

28

17/06

0931.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

(2nd Variant)

29

17/06

t4032.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

(2nd Variant)

30

17/06

nd901.us-south.cf.appdomain.cloud

OWA (Outlook) Phishing

31

17/06

7482y3740.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

32

17/06

si309222.us-south.cf.appdomain.cloud

Redirector

 

Redirector ID #10 is the most interesting one, and we will use it as an example to showcase what is happening behind the scenes of these phishing attacks:

Figure 2: Traffic capture of the redirecting page

 

As can be seen in figure 2 – the redirector rotates between two subdomains, I am not overly familiar with IBM Cloud, but it’s possible that the attacker is leveraging some load balance functionality, or perhaps this is a simple server-side code which picks a subdomain to redirect the user to.

Figure 3: Redirector obfuscated code

 

The redirector contains some old school JavaScript obfuscation, using unescape and document.write. When decoded the following code is revealed:

Figure 4: Redirector de-obfuscated code

 

This code contains another old-school technique that uses window.location to redirect the browser to another URL. Let’s inspect the 2nd URL that we are being redirected to from the obfuscated script:

Figure 5: First variant of redirected page

 


Figure 6: Second variant of redirected page

 

As can be seen in figures 5 & 6, the obfuscated script redirects to another redirector, this time no obfuscation at all on the redirector, and the redirection is done with the content refresh meta header. The URL in both is completely the same except the subdomain, they both return the same HTML code which is the following:

Figure 7: Final phishing page – a generic webmail login

 

What so unique in this phishing attack you might ask yourselves?

First, the attackers leverage the IBM cloud platform to spread their phishing schemes, this lets them have the good reputation that the “appddomain.cloud” domain has, as it belongs to IBM cloud. Simply blocking or blacklisting this domain will cause many interruptions for end-users as this will break functionality; The same would happen if someone would decide to block Amazon AWS because someone used it once for malicious activities. Speaking of Amazon, during the final editing of this blog post, we spotted the same kit/actor on Amazon S3 URL:

hxxps://windowshost404902.s3-ap-southeast-1.amazonaws.com/secure/app.html

Figure 8: Obfuscated Redirector on AWS S3

 

The Actor is redirecting from AWS S3 to IBM Cloud, unfortunately, the phishing page has been removed already from IBM Cloud. Using the IBM cloud platform also gives the attackers a free signed SSL certificate from IBM:

Figure 9: A wildcard certificate from IBM

 

All those techniques and obfuscations let those phishing pages fly under the radar of most traditional web content filtering products:

Figure 10: VirusTotal scan result for this attack

 

Interestingly, Yandex Safe browsing detects those URLs as malicious, while Google safe browsing did not, but after further inspection, it looks like Yandex went with the blacklist approach:

Figure 11: VirusTotal Scan result of made-up URL

 

But there is no malicious content behind this subdomain:

Figure 12: Blacklisting is bad approach, this URL has legitimate content

 

Thus, whoever uses Yandex Safe browsing might experience warnings when browsing to servers hosted on IBM Cloud platform, regardless of whether or not those sites are malicious. We reported all of these URLs and hostnames to IBM and Amazon to allow them to clean the activity taking advantage of their service.

Trustwave SWG customers and Trustwave SEG customers using BTM are protected against this threat.

 

Appendix A:

IOCs:

URL

Type

Md5 Hash of HTML file

trxpres.us-south.cf.appdomain.cloud

Unknown Phishing Page

N/A

6645.us-south.cf.appdomain.cloud

DHL Phishing

N/A

67i.us-south.cf.appdomain.cloud

Redirector

e2f894c91f00b996dfaec9b9ef38730e

r0g.us-south.cf.appdomain.cloud

Redirector

36c60c159bddb1c31fa7acfe4708abfc

409k.us-south.cf.appdomain.cloud

Redirector

18312a8aa01501b15d8b4928c97ce989

039w.us-south.cf.appdomain.cloud

Redirector

bc54eb501f4e945859ae7d37fc85c0e9

w30.us-south.cf.appdomain.cloud

Redirector

a815e3930ef3c9bd90b0b531bddcce46

aa01011998.us-south.cf.appdomain.cloud

OWA Phishing

6b329b5264ca88ee4f8e0ad9157ff273

nd901.us-south.cf.appdomain.cloud

OWA Phishing

6b329b5264ca88ee4f8e0ad9157ff273

54009w.us-south.cf.appdomain.cloud

Rounduce Mail Phishing

9abbe9f68b80b1038e0b5dce44577d87

s4v01011998.us-south.cf.appdomain.cloud

N/A

N/A

es01011998.us-south.cf.appdomain.cloud

Redirector

0be30b49afeb96c7e03a606aa9dc63e8

ny01011999.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

b41f8fc6b2f6add8d0eb2787e03f89ec

cm01011986.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

b41f8fc6b2f6add8d0eb2787e03f89ec

nz01012003.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

df71d90e0af4d4c29aa978574d78d368

59038922k.us-south.cf.appdomain.cloud

Redirector

8d38a519f79c1af17b1aad10cbc78d55

ds49.us-south.cf.appdomain.cloud

EMS Phishing

4c7fc9eef965947dc5ed9373f5b53d66

rk940.us-south.cf.appdomain.cloud

EMS Phishing

4c7fc9eef965947dc5ed9373f5b53d66

darcy20192020.eu-gb.cf.appdomain.cloud

Generic Web Mail Phishing

175062a8b5731ff773a859026b4ba325

3094g3.us-south.cf.appdomain.cloud

Redirector

118c708819ab9853a0efab718ec92c83

278302p.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

5d85f6b30a9422f0c0877a25ce55a820

7482y3740.us-south.cf.appdomain.cloud

Generic Web Mail Phishing

5d85f6b30a9422f0c0877a25ce55a820

windowshost404902.s3-ap-southeast-1.amazonaws.com/secure/app.html

Redirector

458ac4a8acaea55f72deac2c52ed0f18

vfxtownhost3092.eu-gb.cf.appdomain.cloud

Unknown Phishing Page

N/A

fg675.us-south.cf.appdomain.cloud

Redirector

b373ca3b552b4b0ffb75478be9732fd9

3320p9.us-south.cf.appdomain.cloud

OWA Phishing

ccf40c8102b86218cd2fa8309fc921d2

202-2s.us-south.cf.appdomain.cloud

OWA Phishing

ccf40c8102b86218cd2fa8309fc921d2

75568tg.us-south.cf.appdomain.cloud

Redirector

5c5f3b9a121d974f4f6e19a3bf7abba5

876j.us-south.cf.appdomain.cloud

DHL Phishing

ca7ef15a437b65c7484721670b765bac

ki97890.us-south.cf.appdomain.cloud

DHL Phishing

ca7ef15a437b65c7484721670b765bac

849.us-south.cf.appdomain.cloud

Redirector

a2e0d9e988015e4cf5bd7696fc358ed4

0931.us-south.cf.appdomain.cloud

Generic Web Mail Phishing (2)

fae9ff614bb67d5eac6c747ba8f59773

t4032.us-south.cf.appdomain.cloud

Generic Web Mail Phishing (2)

fae9ff614bb67d5eac6c747ba8f59773

si309222.us-south.cf.appdomain.cloud

Redirector

7428e20dd4c8ae62d5a3e35a3fe8abef

Note: we do not recommend blocking the IP addresses those subdomains resolve to.