xorl %eax, %eax

Threat Intelligence: Phising kits anti-detection

leave a comment »

In my past posts I described a few common techniques used by phising kits authors to evade detection. This seems to be becoming more and more common among popular phising kits. Here I will present a few very common techniques that I came across lately.

The first one is the common anti-detection based on the client’s details such as originating IP address, user-agent string, domain name, etc. I have seen a few references of phising kit authors describing those with the slang term “antiboots” and “antibot”. You can see an example of such files below.

<?
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit",);
foreach($blocked_words as $word) {
    if (substr_count($hostname, $word) > 0) {
		header("HTTP/1.0 404 Not Found");
        die("<h1>404 Not Found</h1>The page that you have requested could not be found.");

    }  
}
$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^64.71.*.*", "^206.207.*.*", "^207.70.*.*", "^209.19.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*", "^128.242.*.*", "^72.14.192.*", "^208.65.144.*", "^74.125.*.*", "^209.85.128.*", "^216.239.32.*", "^74.125.*.*", "^207.126.144.*", "^173.194.*.*", "^64.233.160.*", "^72.14.192.*", "^66.102.*.*", "^64.18.*.*", "^194.52.68.*", "^194.72.238.*", "^62.116.207.*", "^212.50.193.*", "^69.65.*.*", "^50.7.*.*", "^131.212.*.*", "^46.116.*.* ", "^62.90.*.*", "^89.138.*.*", "^82.166.*.*", "^85.64.*.*", "^85.250.*.*", "^89.138.*.*", "^93.172.*.*", "^109.186.*.*", "^194.90.*.*", "^212.29.192.*", "^212.29.224.*", "^212.143.*.*", "^212.150.*.*", "^212.235.*.*", "^217.132.*.*", "^50.97.*.*", "^217.132.*.*", "^209.85.*.*", "^66.205.64.*", "^204.14.48.*", "^64.27.2.*", "^67.15.*.*", "^202.108.252.*", "^193.47.80.*", "^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^198.54.*.*", "^192.115.134.*", "^216.252.167.*", "^193.253.199.*", "^69.61.12.*", "^64.37.103.*", "^38.144.36.*", "^64.124.14.*", "^206.28.72.*", "^209.73.228.*", "^158.108.*.*", "^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*", "^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^193.220.178.*", "68.65.53.71", "^198.25.*.*", "^64.106.213.*");
if(in_array($_SERVER['REMOTE_ADDR'],$bannedIP)) {
     header('HTTP/1.0 404 Not Found');
     exit();
} else {
     foreach($bannedIP as $ip) {
          if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){
               header('HTTP/1.0 404 Not Found');
               die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
          }
     }
}
?>

The above means that as an organization you need some “clean” networks, not associated to your organization from where you should be running your phising detection engines. But this is not the only one, another common technique employed by many phising kit authors is to embed static content of the target page in Base64 encoded format as shown below.

  <div class='dialog'>
    <a><img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeoAAADICAYAAAAnfqKzAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAALEgAACxIB0t1+/AAAABR0RVh0Q3JlYXRpb24gVGltZQA4LzYvMDlmusRGAAAAHHRFWHRTb2Z0d2FyZQBBZG9iZSBGaXJld29ya3MgQ1MzmNZGAwAAIABJREFUeJzsvWtQG2ma7/kXkhCS0A0QiJuVgMvGt0LU1MXt7ilEX6ipcm8bR8+J9szsHuOYdZwzc2Kj8AfHWX/YQI7YiIrdjnNMRZzLh9oe4zO7OxU7Ow2eMzUz7e3TiJquqq4qT1mUL/iKUwZhgUBXJCGE0H5IZZKpu0AgAe8vQmFlKvPNNwXmn8/lfR5RPB4HgUAgEAiE8qSi1BMgEAgEAoGQGSLUBAKBQCCUMZJST4BAIBD2KiKRqNRTIPDYraFeYlETCAQCgVDGEKEmEAgEAqGMEe1WVwCBQCCUA6x7Ox6PawEMAjgDwFTKORHyxgbgBoARkUjkBcrTPU6EmkAgELaA
  ... skipping ...
  </div>

This means that if your detection engine was relying on callback images or static content, it is very likely that it will not be able to detect those phising pages. Additionally, I have identified numerous phising kits that do not target credentials only but they are after OAuth2 tokens too. This means that you have to tune your systems to support this attack scenario too. Finally, I have identified at least two separate phising kits which deliver the content AES encrypted along with a JavaScript implementation of AES to do the decryption during the client side execution.

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');

/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
/*  AES implementation in PHP                                                                     */
/*    (c) Chris Veness 2005-2014 www.movable-type.co.uk/scripts                                   */
/*    Right of free use is granted for all commercial or non-commercial use under CC-BY licence.  */
/*    No warranty of any form is offered.                                                         */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

Class Aes
{
    /**
     * AES Cipher function [§5.1]: encrypt 'input' with Rijndael algorithm
     *
     * @param input message as byte-array (16 bytes)
     * @param w     key schedule as 2D byte-array (Nr+1 x Nb bytes) -
     *              generated from the cipher key by keyExpansion()
     * @return      ciphertext as byte-array (16 bytes)
     */
    public static function cipher($input, $w)
    {

Phising remains the top intrusion method for the past couple of years. Make sure that you adapt and combat this effectively. I hope that the above information were useful to some defenders.

Written by xorl

February 20, 2018 at 09:59

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s