Yara hunting phishing samples

    So, I made a yara rule a while back based on some suspicious phishing nonsense I found in some open (unauthenticated + file directory listing enabled) cloud storage buckets. I decided only recently to see if I could do some public hunting with these. One possibility was on hybrid analysis. After just a few days, I have 9 detections already found. 

    The YARA rule is hosted on my github (https://raw.githubusercontent.com/ferasdour/SpecialYaraRules/refs/heads/main/Bucket%20Phishing%20Kits.yar) but basically it's like this (notations added for this post):

rule phishingKits3 {
   meta:
      description = "PhishingKits3: This was found in multiple phishing kits hosted on open/unauthenticated S3 buckets."
      author = "ferasdour"
   strings:
      $s1 = "https://ajax.googleapis.com/ajax/libs/jquery/" ascii // adds jquery
      $s2 = "https://code.jquery.com/jquery-" ascii // several veriants of jquery uesd but counting this version too
      $s3 = "window.location.hash.substr(" ascii // Grabs the url part after "#"
      $s4 = ".substr((" ascii // pulls substring including another bracketed section
      $s5 = ").click(function(event" ascii // looks for click function
      $s6 = "Please try again later" ascii // Junk data that seems to be put in to avoid detection
      $r1 = /url:(\s)\Shttps:\/\/.[a-zA-Z0-9-_.]{6,200}/is // url that the data is sent to xhr request
      $r2 = /type:(\s|\s')POST',/is // post xhr request
      $s7 = "email:" ascii // grabs email
      $s8 = "password:" ascii // grabs password
      $s9 = "btn').html('" ascii // button html change
      $header = { (0d 0a | 20 0d 0a 0d 0a | 3c 21 44 4f ) } // looks for specific option of first line headers
   condition:
       $header at 0 and 6 of ($s*) and all of ($r*)  // headers at start of page and 6 of the strings and both regexes
}

    The results according to hybrid analysis:



And for the content of the found samples?



    When I clicked "view more" is broke, so that's sort of concerning:



    Downloading for myself and reviewing, here's the key part, which showcases that the form filled out checks if the email entered appears to be "a valid email" then says it doesn't exist if it fails. 


    Which matches the expected problems, so the detection is definitely working as expected. That's good. The fact that clicking "view more" on hybrid analysis broke on this is concerning and I'll be reporting that after writing this.

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

pyscript, nim, aaaaand go

Image
     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...
Read more

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

DNS-Rebinding and such

      What started off as an interesting read on how DNS rebinding attacks work, and how they're leveraged to scan internal networks. The high level gist of the scenario is that if you have multiple A records, or the ability to rapidly change A records during someone's visit to a page, you can cause them to run push requests to other pages. This may include things like scanning a web-page visitor's local network, or replaying known addresses (maybe due to public dns resolving internal addresses) there is potential for attempting things like xss to steal credentials. Since it's the same domain being resolved, the browser often won't have any issue attempting requests.     Now, what this turned into was my general thought of "I've seen attacks before where people used webrtc, wasm, flash, vbs, etc... to port scan a network, I wonder if you could just use javascript targeting subdomains of other websites that have sub-domains pointing to private ips. This woul...
Read more