{"id":99249,"date":"2021-10-21T08:00:48","date_gmt":"2021-10-21T15:00:48","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=99249"},"modified":"2023-06-26T15:58:03","modified_gmt":"2023-06-26T22:58:03","slug":"franken-phish-todayzoo-built-from-other-phishing-kits","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/21\/franken-phish-todayzoo-built-from-other-phishing-kits\/","title":{"rendered":"Franken-phish: TodayZoo built from other phishing kits"},"content":{"rendered":"
A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today. We uncovered this phishing kit while examining an extensive series of credential phishing campaigns that all sent credentials to a set of endpoints operated by the attackers.<\/p>\n
We named the kit \u201cTodayZoo\u201d because of its curious use of these words in its credential harvesting component in earlier campaigns, likely a reference to phishing pages that spoofed a popular video conferencing application. Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones. The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.<\/p>\n
Today\u2019s phishing attacks operate on a landscape fueled by an evolved service-based economy<\/a> filled with efficient, reliable, and profitable offerings. Attackers who wish to launch a phishing campaign may rent their resource and infrastructure needs from phishing-as-a-service (PhaaS) providers, who do the legwork for them. Alternatively, they can make a one-time purchase of a phishing kit that they can \u201cplug and play.\u201d<\/p>\n That\u2019s not to say that attackers who build their kits from the ground up are at a disadvantage. If anything, the abundance of phishing kits and other tools available for sale or rent makes it easy for a lone wolf attacker to pick and choose the best features from these kits. They put these functionalities together in a customized kit and try to reap the benefits all to themselves. Such is the case of TodayZoo: because of the consistency in the redirection patterns, domains, and other techniques, tactics, and procedures (TTPs) of its related campaigns, we believe that the actors behind it came across an old phishing kit template and replaced the credential harvesting part with its own exfiltration logic to make TodayZoo solely for their nefarious purposes.<\/p>\n Since the first observed instances of the TodayZoo phishing kit last December, large email campaigns leading to it have continued without significant pause. Our analysis of its phishing page artifacts, redirection routines, and domain generation algorithm (DGA) methods for the initial sites helps ensure Microsoft Defender for Office 365<\/a> effectively protect customers from the said campaigns.<\/p>\n Microsoft tracks unique phishing kits, phishing services, and other components used in phishing to better protect customers from malicious emails at a larger scale. Combined with our monitoring of individual credential campaigns and the latest evasion techniques<\/a>, our research into kits and services provides us with a better understanding of the structure of phishing email messages. Such threat intelligence and insights, in turn, feed into our protection technologies, such as Defender for Office 365 and Microsoft 365 Defender<\/a>.<\/p>\n This blog post details some of the technical aspects of a phishing campaign based on the TodayZoo kit. It also provides information about \u201cDanceVida,\u201d a potential parent family of kits based on a shared resource link, and how it and other historical patterns figure in TodayZoo\u2019s code structure.<\/p>\n A \u201cphishing kit\u201d or \u201cphish kit\u201d can refer to various parts of a set of software or services meant to facilitate phishing. The term refers most commonly to an archive file containing images, scripts, and HTML pages that enable an attacker to quickly set up an undetectable phishing page and collect credentials through it. However, \u201cphishing kit\u201d can also be used to refer specifically to the unique page itself that spoofs a brand and interacts with a user, collects the user\u2019s credentials, and posts them to an asset the attacker owns.<\/p>\n Phishing kits are generally split into the following major components based on function:<\/p>\n These components are seen in the TodayZoo phishing kit, which we will discuss in the following sections.<\/p>\n The use of the TodayZoo phishing kit was initially seen in December 2020. Then, in March 2021, we observed a series of phishing campaigns abuse the AwsApps[.]com<\/em> domain to send the email messages that eventually directed users to the final landing pages, leading us to examine the kit more closely. As of this writing, we have already notified Amazon about the abovementioned abuse in their domain, and they promptly took action.<\/p>\n The attackers created malicious accounts at scale. Initially, the sender emails appeared with randomly generated domain names such as wederfs76y3uwedi3uy89ewdu23ye87293eqwhduayqw[.]awsapps[.]com<\/em>. This contrasts legitimate emails\u2014and even some spoofed phishing ones\u2014where the subdomain would represent a company hostname.<\/p>\n The email message itself was relatively simple: it impersonated Microsoft and leveraged a zero-point font obfuscation technique<\/a> in an attempt to evade detection. For example, in the early iterations of their campaign, the attackers used the <ins><\/ins><\/em> tags to insert the date of the message every few characters invisibly, as shown below:<\/p>\n <\/p>\n Figure 1. Example of zero-point font obfuscation to insert the date into the HTML code of the email message<\/em><\/p>\n The social engineering lures in the message body repeatedly changed over the months. Campaigns in April and May used password reset, while more the recent campaigns in August were leveraging fax and scanner notifications.<\/p>\n <\/p>\n Figure 2. Example of an email lure leading to TodayZoo phishing kit<\/em><\/p>\n Regardless of the lure, the following attack chain is consistent, with initial and secondary redirectors, a final landing page, and a credential harvesting page. Below is a sample of TodayZoo\u2019s attack chain URLs:<\/p>\n The initial and secondary URLs are either compromised or attacker-created sites and serve as redirectors to funnel the more extensive set of URLs used in the emails to the final landing page where the phishing kit is hosted. The initial URL used infinite subdomains, a previously discussed technique that allows attackers to use a unique URL for each recipient while only purchasing or compromising one domain. The URL also leveraged malformed URLs that consisted of multiple forward slashes at the demarcation of the path, as well as the secondary URL that is encoded along with the recipient\u2019s email address.<\/p>\n In almost every instance of the TodayZoo-based campaign we\u2019ve seen, the final landing page is hosted within the service provider DigitalOcean. This page bears a few tangible differences from a standard Microsoft 365 sign-in page. Notably, it has not substantially changed in appearance from the start of the year to the time of publication of this blog. This lack of change is because, despite the numerous changes in the delivery method, lures, and sites used as indicators of attack (IOAs), the TodayZoo kit stayed nearly identical with only a few strings changing.<\/p>\n <\/p>\n Figure 3. An example of TodayZoo\u2019s fake sign-in page in August 2021<\/em><\/p>\n There was little of the obfuscation component within the TodayZoo kit because the landing page\u2019s source code revealed where the stolen credentials would be exfiltrated, which was another compromised site ending in TodayZoo.php<\/em>. Typically, credential harvesting pages process the credentials and forward them to additional email accounts owned by sellers or purchasers of the kit for collection later. It\u2019s unusual for campaigns to store the credentials locally on the site itself.<\/p>\n <\/p>\n Figure 4. An excerpt from the TodayZoo HTML source depicting credential exfiltration<\/em><\/p>\n It should be noted that based on our analysis, the file name TodayZoo.php<\/em> appears to be derived from a previous version of the phishing kit whose credential processing page ends in Zoom.php<\/em>. The said version also has markers like \u201cToday Zoom Meetings,\u201d indicating that it was initially targeting users of a popular video conferencing application.<\/p>\n The succeeding TodayZoo-based campaigns follow the attack killchain pattern and source code discussed above. While for the first few months of operation, TodayZoo.php<\/em> was utilized, the most recent harvesting pages have maintained the word \u201ctoday\u201d but now may use vcoominctodayq.php<\/em> instead.<\/p>\n The attackers have also moved from abusing a single legitimate mailing service to compromising mailing service accounts for their email campaigns. However, they maintain specific leftover character patterns in their URL paths and subdomains that work with the other TTPs described.<\/p>\n Typically, phishing kits that are resold or reused have indicators of multiple actors using them through their generated email campaigns. For example, these campaigns will have varying redirection techniques and hosting domains for their final landing pages. In the case of TodayZoo, as previously mentioned, there is consistency in the patterns, domains, and TTPs of the related campaigns. While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits. These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own.<\/p>\n Within the source code of the TodayZoo landing page we analyzed, there were several static references at the very start to external sources. Generally, these external links help a phishing kit properly imitate the login page and other branding elements of the site they are spoofing. However, in TodayZoo\u2019s case, many of these site connections were \u201cdead links\u201d and did not serve a relevant function within the page. Littered throughout the source code as well were various markers like <!– FORM 1111111111111111 –><\/em> and <!– FINISHHHHHHHHHHHHHHHHHHHHH –><\/em>. Some portions of the source code also utilized multiple languages in different sections, making clear indications of which ones have been replaced.<\/p>\n Upon further investigation, we identified the dead links and markers as holdovers from many other commoditized kits available for free or purchase. We then compared TodayZoo with other phishing kits we have analyzed previously and found that even these kits also contained references to sites like Dancevida[.]com<\/em> but would have different code blocks for their obfuscation or credential harvest components.<\/p>\n <\/p>\n Figure 5. An excerpt from a TodayZoo landing page source code referencing DanceVida[.]com<\/em><\/p>\n \u201cDanceVida\u201d is more of a code block than a full-fledged phishing kit. As such, kits that use DanceVida are rather diverse in their delivery, lures, and location because they are directly for sale on various forums under kit-naming schemas, as well as under a wider variety of landing page templates, including document download pages. Most of the credentials that the DanceVida-based kits\u2019 harvesting pages gather are exfiltrated to accounts using free email services, such as GMail, Yahoo!, and Yandex.<\/p>\n One of the more notable kits that also reference DanceVida and share components with what we observed in the TodayZoo credential phishing campaigns is \u201cOffice-RD117,\u201d which is related to an online seller known as \u201cFud Tool.\u201d This seller also offers other phishing kits and email and SMS delivery tools on various forums and other websites.<\/p>\n <\/p>\n Figure 6: Screenshot of<\/em> the now-defunct Fud Tool website from the Wayback Machine Internet Archive<\/em><\/p>\n It is interesting to note that when analyzing the Office-RD117 kit, we also saw signatures from multiple sellers within its packaged resources. There are also instances of dead links, such as a reference to a GitHub account that was only live for less than a day in January 2020 (the said account is still carried over to kits online as of this writing). This goes to show that even commercially available phishing kits reuse and repurpose elements from other ones. Such mixing and matching also make it quite challenging to determine where one kit ends and another one begins.<\/p>\n In the case of TodayZoo, we observed that its implementations only match the larger superset of kits referencing DanceVida at about 30-35%. As seen in the figures below that compare a TodayZoo sample with a randomly selected DanceVida sample, both initially have similar structure and pieces of code until TodayZoo deviated in the credential harvesting component:<\/p>\n <\/p>\n Figure 7. A comparison of DanceVida and TodayZoo kits, showing matching source codes<\/em><\/p>\n <\/p>\n Figure 8. A comparison of DanceVida and TodayZoo kits showing highly similar source codes. Note how TodayZoo has changed its variables.<\/em><\/p>\n <\/p>\n Figure 9. A comparison of DanceVida and TodayZoo kits showing slightly different implementation for credential posting<\/em><\/p>\n To further illustrate the \u201cFrankenstein\u2019s monster\u201d characteristic of TodayZoo, the table below expands the comparison of one of its current phishing pages with Office-RD117, as well as with four other landing pages. These landing pages are unattributed to specific operators and reference DanceVida or use the same credential-harvesting POST statements. While all these samples share code segments in their imitation, obfuscation, or credential harvesting components, they each still have unique elements that differentiate them.<\/p>\n <\/p>\n Table 1. Similarity areas and percentages of related phish kits to a recent TodayZoo sample<\/em><\/p>\n <\/p>\n Figure 10. Graphical representation of the similarity areas of related phish kits to a recent TodayZoo sample<\/em><\/p>\n The above comparisons show a history of alterations and suggest an existence of a \u201ccore\u201d set of codes being reused by these phishing kits. They are also reminiscent of how remote access Trojans (RAT) and other malware families are continuously retooled by threat actors yet retain large chunks of code blocks across the board.<\/p>\n Our analysis of TodayZoo, DanceVida, and other phishing kits gives us several insights into the underground economy today. First, this research further proves that most phishing kits observed or available today are based on a smaller cluster of larger kit \u201cfamilies.\u201d While this trend has been observed previously<\/a>, it continues to be the norm, given how phishing kits we\u2019ve seen share large amounts of code among themselves. The continued presence of dead links and callbacks to other kits indicates that many phishing kit distributors and phishing operators have easy access to these existing kits and use parts of them to make new ones faster.<\/p>\n Secondly, our research shows that the players in the cybercrime economy count on a lack of examination into their products. Whether that is a bane or a boon on their part depends on how the products\u2019 codes are implemented. For example, an unchecked reused kit that still calls back to its original creator with copies of stolen credentials potentially translates into an equivalent of a passive income for the said creator.<\/p>\n Insights such as those presented above enrich our protection technologies. Our intelligence on unique phishing kits such as TodayZoo, phishing services, and other components of phishing\u00a0attacks\u00a0allows\u00a0Microsoft Defender for Office 365<\/a> to detect related campaigns and block malicious emails, URLs, and landing pages. Combined with Defender for Office 365\u2019s use of machine learning, heuristics, and advanced\u00a0detonation technology, such intel also makes it possible to detect kits that attempt\u00a0to leverage techniques from one or multiple codes, even before a user receives the email or interacts with the content.<\/p>\n Threat intelligence about the latest trends in the phishing landscape also feeds into other Microsoft security solutions, such as Microsoft Defender SmartScreen<\/a>, which blocks phishing websites and malicious URLs and domains in the browser, and Network protection<\/a>, which blocks connections to malicious domains and IP addresses. Advanced hunting<\/a> capabilities allow analysts to search for phishing kit components and other IOAs.<\/p>\n Organizations can configure the recommended settings in Microsoft Defender for Office 365<\/a>, such as applying anti-phishing, Safe Links<\/a>, and Safe Attachments<\/a> policies. These ensure real-time protection by scanning at the time of delivery and at the time of click. They can further strengthen their protection with\u00a0Microsoft 365 Defender<\/a>, which correlates signals from emails, endpoints, and other domains, delivering coordinated defense.<\/p>\n Learn how you can stop\u00a0credential phishing and other email threats\u00a0through\u00a0comprehensive,\u00a0industry-leading protection\u00a0with Microsoft Defender for Office 365<\/a>.<\/p>\n Visit our National Cybersecurity Awareness Month page<\/a> for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart<\/strong><\/p>\n <\/p>\n Microsoft 365 Defender Threat Intelligence Team<\/em><\/p>\n <\/p>\n Emails with TodayZoo operator patterns<\/strong><\/p>\n Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure. TodayZoo operators occasionally store URLs in the attachment, so this query would not surface those instances.<\/p>\n Endpoint activity where TodayZoo patterns redirect to DigitalOcean<\/strong><\/p>\n Use this query to find emails sent that utilize additional forward slashes at the path and domain split point and utilize the TodayZoo operators’ patterns in the path and the subdomain structure.<\/p>\n Sample initial base domains<\/strong><\/p>\nWhat\u2019s in a kit?<\/h2>\n
\n
Breaking down a TodayZoo-based phishing campaign<\/h2>\n
\n
Piecing the puzzle<\/h2>\n
The DanceVida connection<\/h3>\n
Comparing TodayZoo with DanceVida and other kits<\/h3>\n
How threat intelligence enriches anti-phishing technologies in Microsoft Defender for Office 365<\/h2>\n
Advanced hunting queries<\/h3>\n
EmailUrlInfo
\n| where Url matches regex \"(ujsd)?\\\\.[a-z]+\\\\.com\\\\\/\\\\\/.+\\\\.#\"<\/code><\/p>\nDeviceNetworkEvents
\n| where RemoteUrl matches regex \"(ujsd)\\\\.[a-z]+\\\\.com\\\\\/\\\\\/.+\\\\.#\" or RemoteUrl endswith \"digitaloceanspaces.com\"
\n| extend Domain = extract(@\"[^.]+(\\.[^.]{2,3})?\\.[^.]{2,12}$\", 0, RemoteUrl)
\n| summarize dcount(Domain), make_set(Domain) by DeviceId,bin(Timestamp, 1h), InitiatingProcessFileName, InitiatingProcessCommandLine
\n| where dcount_Domain >= 2<\/code><\/p>\nIndicators of compromise<\/h3>\n