Advanced and Persistent Threats are often inoculated by emails or by exploiting exposed vulnerabilities. Since vulnerability exploitation follows specific waves, it depends on vulnerability trends, the email vector become one of the most (ab)used and stable way to inoculate Malicious and unwanted software. A common way to attack victims is to make her open an eMail attachment using common social engineering techniques. For example attackers pretending to be candidate asking to HR manager to open up the “attached curriculum”, or a customer that is asking for special products or information included on a well-crafted Word document, or again attackers pretending to be friends asking for favors, or new customers asking for price lists in a malicious and attached Microsoft Excel, are only some of the (almost) infinite ways to make someone opening an attachment.
But something is slowly changing.
While Phishing was quite underestimated (so far) from Malware analysts working on state sponsored cyber attacks, since Phishing was mostly a used technique to steal credentials by criminal groups, nowadays it is increasingly used from state sponsored attackers to spread Malware (for example Android APP) and to steal credentials to start over a pre-failed attack gaining wider victim surface. Many researcher groups already noticed that slow moving from email attachments to phishing campaign, for example CheckPoint researchers in their great report on Rampant Kitten (rif: HERE) show in section “Infrastructure and Connection” (Figure 9) a nice Phishing infrastructure and the FBI in ME-000134-MW warns about both phishing and eMail attachments as well. But those are only some of many example you can find out there by reading reports and analyses from common researcher groups.
For such a reasons I believe phishing, and mostly important PhishingKits need to be studied and tracked even by cyber security analysts who dedicated their own effort on APT rather on criminality. Just to provide some information about how to track phishingkit I would share some of my tweets on the topic just to show how different they are from each other and how complex they could be.
If you agree with me that PhishingKit would play a nice role in the next few years even in the APT world and if you want to help community to analyze and to report them as quickly as you can, you might decide to start from HERE: a freshly updated repository of PhishingKit. In there you would find more than 600 archives (as today, but every day that number would increase as soon as new PK are detected by my backend system which is running and pushing on git repo) containing source code of many PhishingKits, some of them used in APT, some other used in common credential stealing campaign. You would learn how they evade detection (it’s unbelievable how some criminal implements anti-detection code 😀 ) how they call themselves and how they write codes and how administrator panels look like. If you start a deep analysis on that data you would probably be able to group by author and later on, by clustering on such results, you would be able to wrap and track author style and change over the time. That would be super interesting to track the evolution and to being in control of PK to community to gain a safer digital space.
If you think this work is worth of spreading, please go ahead, and if you use that collections and the scripts in the repository for your research, please cite it using the following BiBText section.
@misc{ MR,
author = "Marco Ramilli",
title = "Phishing Kits Tracker",
year = "2020",
url = "https://marcoramilli.com/2020/07/13/introducing-phishingkittracker/",
note = "[Online; July 2020]"
}