Aug 16, 2020
Vairav Technology has uncovered a Microsoft office365 phishing campaign using a spoofed email address and has targeted more than 600+ organizations worldwide.
We have been monitoring the various cyber threats involving Nepal, as being targeted to become a victim of a phishing email or using a Nepali domain for hosting phishing sites. But this time we have discovered a massive phishing campaign not only targeting Nepali Banking and Finance Institution but also Fortune 500 companies, Government Agency and Financial Institutions all over the world.
In this blog, we explore the ongoing phishing campaign that has been targeting Microsoft Office 365 users.
This phishing campaign can be summarized as follows:
Before diving into the details about the phishing campaign, it is important to note two things.
First, this recent version of this stealth campaign targeted corporate and big financial users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud service providers. Second, this attack is not exactly a new type of but massive campaign
Still, this phishing technique is worth highlighting because the resulting compromise is quite persistent and sophisticated, and it seems likely we will see this type of approach will be exploited more frequently in the future.
The email was fabricated as a password reset for Office365, pointing email link to spoofed and company-specific, Office 365 sign-in page which appeared so realistic that users would get trapped and ultimately followed by credential theft.
We analyze the malicious URL that was embedded in the email was redirecting to multiple phishing pages (please find the page link in the IOC sections) with Microsoft Office365 theme.
Initially, the phishing page alerts the “Incorrect Password” and re-entering the password will further redirect to Microsoft Office official website which is encoded in base64. The messages are encoded with base64 algorithm, which decrypts to basic information.
Retrieving headers of crafted links, we get status code 302 which indicates that the resource requested has been temporarily moved to the URL given by the Location header poisoning the .htaccess, a service provided by Apache server, which is in fact a popular technique for phishing the targets. In this case:
[removed] / //hXXps://mgwproductions.com/meh/?08909598527009&email=/
Moreover, submission of the IP address to VirusTotal reveals, there are 180 domains (till now) related to IP address with familiar pattern ‘that includes signature letter sg’ in front of the targeted organization name.
We have recorded 600+ redirecting subdomains from 42 compromised websites targeting companies such as Nestle, Microsoft, Coca-Cola and many other Government Agency, F&B, Health Technology, Financial technology, Banking and Financial Institution, Consumer Product, Medical and Device Manufacturer, Country Council, IT Service Provider, Oil and Gas, Media, E commerce, national laboratory (nuclear energy research and development), business process outsourcing, Media House, Education Technology.
Hunting down the compromised websites, we too found an opendir (Open Directory) that contains the .zip file that is in fact the phish kit. The kit included the mass mailer web application written in PHP that is suspected to be used in this campaign.
Since the campaign is ongoing and has been targeting multiple organizations and the cyber adversaries are using compromised websites. In order to minimize the impact of the phishing campaigns used by these malicious actors, the IP addresses or URL from the following indicator of compromise needs to be blocked.
usdbcentre[.]net
lazoo[.]in
reallaunchers.co[.]in
mgwproductions{.}com
memoryvita[.]in
tambahtujuh[.]com
www.falkonnartifacts[.]de
reisulpremoldados.com[.]br
tambahsayang[.]com
afoola[.]com
pharmateam[.]co
andaibisakutahan[.]com
pradaphoebe[.]com
strudellimb[.]com
sventhiessen[.]com
conexaogoias[.]com
pienzo[.]net
oldsomerbypc.co[.]uk
strudellimb[.]com
sigonauthdashboard-92874hdj[.]com
hoyongesbuah[.]com
auth-dashboard587144ceb8006f445300350dde2a6c43[.]com
myloginapp1acd76bcf62b16ace[.]com
authlogink7843503409i7345092[.]com
app-loginsecurebdaf9798c16d8c8d05e57f0b4b475092[.]com
viewmessages1e311585dda01ddbd1c8f2a9e1c7a35f[.]com
dashboard-authd6bec68c5352736[.]com
kkpgilbertrelydanrekan[.]com
toyotajtb[.]id
masilplas[.]pt
invisionagency[.]co.ke
adams-tech[.]net
realprofits2u[.]com
hayoangkat[.]com
architame[.]com
lalusantai[.]com
falkonnartifacts[.]de
realbuzzadz[.]com
kavinproducts[.]com
166.62.92[.]48
143.95.236[.]7
143.95.243.192
162.241.149[.]224
52.147.196[.]61
104.45.198[.]58
162.241.121[.]186
149.56.42[.]73
3.82.182[.]253
104.223.83[.]77
143.95.147[.]158
143.95.243[.]192
141.8.224[.]93
185.53.59[.]4
62.28.133[.]6
167.250.49[.]16
103.250.186[.]101
162.241.149[.]21
usdbcentre[.]net
hydrojall[.]com
vinayaklawcollege[.]com
realprofits2u[.]com
skybluetouch[.]com
whsclub[.]com
polexi[.]com
infinitydonation[.]com
ethgoldcoin[.]com
thegiftcardcentral[.]com
hotelclub[.]ng
flamingoesportes.com[.]br
abuson[.]com
arteconchas.com[.]br
infinitydonation[.]com
andturturismo.com[.]br
assistencialpaxsantana.com[.]br
uqsi.com[.]ve
btacontadores[.]com
ecodominio[.]site
materialesamg[.]com
mundokimport[.]com
drrondonpediatra[.]com
segurosinternacionales[.]org
acvoassessoria.com[.]br
boliynslogistics[.]com
libralawoffice[.]com
tidakselalu[.]com
dollarworldinc[.]com
indian-roots[.]in
thexpercussion[.]com
lavanderiamaeda.com[.]br
hoyonggehupedas[.]com
engage.co[.]tz
caranoprints[.]com
esylife[.]online
g2g.ind[.]in
in-pt[.]com
joelvaz[.]com
dukadeals[.]com
digitalbizcards[.]in
fidnos[.]com
thehappyindia[.]com
infinityvine[.]co