Following the recent Twilio hack that resulted in the leak of 2FA (OTP) codes, cybercriminals continue to upgrade their arsenal of attacks to orchestrate advanced phishing campaigns targeting users around the world. Resecurity recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy announced on the Dark Web. On some sources, the alternate name is Moloch, which has a connection to a phishing kit developed by several notable underground players that previously targeted financial institutions and the e-commerce industry.
While the incident with Twilio is purely supply chain related, cybersecurity risks obviously lead to attacks against downstream targets, the underground service produced like EvilProxy allows threat actors to attack users with MFA enabled at the largest scale without the need to hack upstream services.
EvilProxy actors use reverse proxy and cookie injection methods to bypass 2FA authentication – proxying the victim’s session. Previously, such methods were seen in targeted campaigns by APT and cyber espionage groups, but now these methods have been successfully produced in EvilProxy, which highlights the importance of the growth of attacks against online services and MFA authorization mechanisms.
Based on the ongoing investigation surrounding the outcome of attacks against several employees of Fortune 500 companies, Resecurity was able to obtain substantial knowledge about EvilProxy, including its structure, modules, functions, and network infrastructure used. to carry out malicious activities. The first occurrences of EvilProxy were initially identified in attacks against Google and MSFT customers who enabled MFA on their accounts – either with SMS or Application Token.
The first mention of EvilProxy was detected in early May 2022, which is when the actors running it released a demo video detailing how it could be used to provide advanced phishing links for the purpose. compromise consumer accounts belonging to major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others.
Notably, EvilProxy also supports phishing attacks against Python Package Index (PyPi):
The official software repository for the Python language (Python Package Index (PyPI)) recently (last week) reported that contributors to the project had been subjected to a phishing attack that attempted to trick them into disclosing the credentials of login to their account. The attack used JuiceStealer (as the final payload after the initial compromise) and according to findings from Resecurity’s HUNTER team – related to EvilProxy actors who added this function shortly before the attack be conducted.
How it works
EvilProxy uses the “Reverse Proxy” principle. The concept of reverse proxy is simple: malicious actors direct victims to a phishing page, use the reverse proxy to retrieve all legitimate content expected by the user, including login pages – it sniffs their traffic when goes through the proxy. This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords and/or 2FA tokens.
EvilProxy is offered on a subscription basis, when the end user (a cybercriminal) chooses a service of interest to target (e.g. Facebook or Linkedin), the activation will be for a specific period of time (10, 20 or 31 days according to the description of the plans that has been posted by the actors on several Dark Web forums). One of the key players – John_Malkovich, acting as an administrator to review new customers. The service is represented in all major underground communities, including XSS, Exploit, and Breached.
Payment for EvilProxy is arranged manually through an operator on Telegram. Once the subscription funds are received, they will be deposited into the customer portal account hosted in TOR. The kit is available for $400 per month on the Dark Web hosted on the TOR network.
EvilProxy’s portal contains multiple tutorials and interactive videos regarding the use of the service and configuration tips. To be frank, the bad actors did a great job in terms of the usability of the service and the configurability of new campaigns, traffic flows, and data collection.
After activation, the operator will be prompted for SSH credentials to further deploy a Docker container and set of scripts. This approach was also used in another Phaas service called “Frappo” which was identified by Resecurity this year. The automated installer has a reference to a user “Olf Dobs” (ksh8h297aydO) on Gitlab:
apt update -qqy && apt dist-upgrade --no-install-recommends --no-install-suggests -o Dpkg::options::="--force-confdef" -y && apt install --no-install-recommends --no-install-suggests -y git && rm -rf /srv/control-agent && git clone --recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent && cd /srv/control-agent && chmod +x ./install.sh && /srv/control-agent/install.sh '[license_key]' ===*=
After successful deployment, the scripts will route victim traffic through 2 gateways defined as “upstream”:
Based on further analysis, we have identified some of the domain names used for phishing campaigns. Malicious actors register similar domains (by spelling) with the intention of obfuscating them under legitimate online services.
Some of the links generated by EvilProxy to impersonate Microsoft E-Mail services are provided below:
Login Phishing URL
Malicious actors use several techniques and approaches to recognize victims and prevent detection of phishing kit code. Like fraud prevention and cyber threat intelligence (CTI) solutions, they aggregate data about known VPN services, proxies, TOR exit nodes, and other hosts that can be used to IP reputation analysis (of potential victims). In case they suspect a bot or seeker, they either drop the connection or redirect it to a specific host (e.g. “brave.com”).
Another approach that has been identified is based on fingerprints.
Bad actors are particularly diligent when it comes to detecting possible virtual machines, typically used by security analysts to scan for malicious content and clients connecting via RDP (Remote Desktop Protocol):
While the sale of EvilProxy requires verification, cybercriminals now have a cost-effective and scalable solution to perform advanced phishing attacks to compromise consumers of popular online services with MFA enabled. The appearance of such services in the Dark Web will lead to a significant increase in ATO/BEC activity and cyberattacks targeting the identity of end users, where MFA can be easily circumvented using tools like EvilProxy.
Resecurity’s HUNTER team has collected the following domain names and URLs related to the EvilProxy infrastructure. Some of these hosts were mapped following post-incident response engagement with affected victims from Fortune 500 companies and consumers of popular online services. Although malicious actor operations are extremely dynamic, information about these hosts can help cybersecurity researchers and incident responders detect and attribute possible malicious activity to EvilProxy when investigating incidents affecting MFA (2FA).
- evil proxy[.]pro