EvilProxy operators leverage Reverse Proxy & Cookie Injection methods to evade MFA – proxyfying victim’s session...

Continue reading
Exploitation techniques continue to evolve with sophisticated tools to orchestrate advanced phishing attacks against targets across the globe in the wake of the recent Twilio breach that resulted in the disclosure of 2FA (OTP) codes. New Phishing-as-a-Service (PhaaS) dubbed EvilProxy has been identified by the threat researchers at Secure Blink, and it is being widely promoted over the Dark Web. In other sources, the alternate moniker is Moloch, which has some ties to a phishing-kit built by a number of renowned underground players that have previously attacked financial institutions and the e-commerce industry.
While the Twilio hack is purely tied to the supply chain, cybersecurity concerns lead to attacks against downstream targets. The productized underground service EvilProxy allows threat actors to attack MFA-enabled customers at scale without compromising upstream services.
EvilProxy actors employ Reverse Proxy and Cookie Injection to evade two-factor authentication, hence proxyfying the victim's session. Previously, similar techniques were seen in the targeted operations of APT and cyberespionage organizations; however, EvilProxy has now effectively productized these techniques, demonstrating the relevance of the increase in assaults against online services and MFA authentication systems.
Secure Blink threat researchers gained extensive insights across EvilProxy, including its structure, modules, functionalities, and the network infrastructure used to perform malicious behavior, as a consequence of the continuing investigation into the assaults against many workers of Fortune 500 firms. Initial incidents of EvilProxy have been linked to attacks against Google and msft clients with MFA enabled — either by SMS or Application Token.
The first mention of EvilProxy was discovered in early May 2022, when the actors operating it released a demonstration video describing how it could be used to deliver advanced phishing links to compromise consumer accounts belonging to major brands including Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Notably, EvilProxy furthermore allows phishing attacks against the Python Package Index (PyPi):
The official Python software repository (Python Package Index (PyPI)) recently announced (last week) that project contributors were the target of a phishing assault designed to get their user login information. The assault used JuiceStealer (as the last payload after the first breach) and, according to the findings of Secure Blink's Threat Researchers, was associated with EvilProxy perpetrators, who introduced this capability just before the attack was carried out.
In addition to PyPi, EvilProxy's capabilities now support GitHub and npmjs (a JavaScript Package Manager used by over 11 million developers globally), allowing supply chain assaults through sophisticated phishing operations. It is quite probable that the actors want to target software developers and IT engineers in order to get access to their repositories and then compromise "downstream" targets. These tactics enable hackers to leverage the vulnerability of end users, who believe they are obtaining software packages from safe locations and are unaware that they have been infiltrated.
A key feature of EvilProxy is its implementation of the _"Reverse Proxy"_ technique. The premise of the reverse proxy is straightforward: malicious actors lure victims to a phishing website and use the reverse proxy to get all the legitimate material the user expects, including login pages - it sniffs their traffic as it travels through the proxy. So, they may collect valid session cookies and skip the necessity for usernames, passwords, and/or 2FA tokens.
Secure Blink has obtained videos released by EvilProxy actors illustrating how it can be exploited to hijack the victim's session and get access to the target account through Microsoft 2FA and Google email.
Google 2FA
Microsof Company 2FA
EvilProxy is supplied on a subscription basis; when the end user (a cybercriminal) selects a service of interest to target (e.g., Facebook or Linkedin), the activation will be for a certain time period (10, 20, or 31 days as per the plans description which was published by the actors on multiple Dark Web forums). John Malkovich, one of the principal performers, serves as an administrator who verifies new clients. All major underground communities, including XSS, Exploit, and Breached, are covered by the service.
EvilProxy's payments are managed by a human operator on Telegram. The subscription fee will be credited to the user's account in the TOR-hosted customer portal after payment has been accepted. The kit is accessible on the Dark Web hosted by the TOR network for $400 per month.
Several tutorials and interactive videos on how to use the service and configuration suggestions are available on the EvilProxy website. Regarding the service's usability and configurability of new campaigns, traffic flows, and data collecting, the bad actors, performed well.
After activation, the operator will be prompted for SSH credentials to deploy a Docker container and scripts. This strategy has also been used by another PhaaS service found by Secure Blink this year, dubbed "Frappo." The automatic installation contains a reference to the Gitlab user "Olf Dobs" (ksh8h297ydO)
`apt update -qqy && apt dist-upgrade --no-install-recommends --no-install-suggests -o Dpkg::options::="--force-confdef" -y \ && apt install --no-install-recommends --no-install-suggests -y git \ && rm -rf /srv/control-agent && git clone --recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent \ && cd /srv/control-agent && chmod +x ./install.sh \ && /srv/control-agent/install.sh '[license_key]' ===*=`
Once the scripts have been successfully deployed, traffic originating from victims will be routed via a pair of "upstream" gateways:
We were able to narrow down some of the phishing domains after doing more research. The evil guys register identically spelled domains so they may pass themselves off as respectable businesses.
Here are a few examples of the fake Microsoft E-Mail URLs that EvilProxy may create:
https://lmo.msdnmail[.]net/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2Fopenid%20profile%20https%3 A%2F%2Fwwwofc.msdnmail.net%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637975588496970710 .Zjg3YzFkMmEtYTUxYy00NDliLWEzYzAtMTExZTliNjBkY2ZkY2U3NzM2MDMtZWNhZC00ZWFmLWE5YjMtYzgzZTFjM2E1ZDdl&ui_locales=en-US&mkt=en-US&state=jHi-CP0Nu4oFHIxklcT1adstnCWbwJwuXQWTxNSSsw-23qiXK-6EzyYoAyNZ6rHuHwsIYSkRp99F-bqPqhN4JVCnT4-3MQIDvdTKapKarcqaMFi6_xv2__3D0KfqBQ070ykGBGlwxFQ6Mzt9CwUsz2zdgcB4jFux2BhZQwcj-WumSBz0VQs5VePV-wz00E8rDxEXfQdlv-AT29EwdG77AmGWinyf3yQXSZTHJyo8s-IWSHoly3Kbturwnc87sDC3uwEn6VDIjKbbaJ-c-WOzrg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.16.0.0
https://473126b6-bf9a-4a96-8111-fb04f6631ad8-571c4b21.msdnmail[.]net/mail/?realm=[victim_domain]&exsvurl=1&ll-cc=1033&modurl=0&JitExp=1&url=%2Fowa%2F%3Frealm%253d%2526exsvurl%253d1%2526ll-cc%253d1033%2526modurl%253d0%2526login_hint%253[victim_email]%252540[victim_domain]
Those behind this use a wide variety of methods to identify potential victims and shield the phishing-kit code from being discovered. They collect information on VPN services, Proxies, TOR exit nodes, and other hosts that may be used for IP reputation research, similar to what fraud prevention and cyber threat intelligence (CTI) systems do (of potential victims). They either terminate the connection or send the user to a certain website (like "brave.com") if they think they are dealing with a bot or researcher.
Fingerprinting is another method that has been discovered.
When it comes to identifying potential virtual machines, which are utilized by security analysts to investigate dangerous information and clients connecting through RDP (Remote Desktop Protocol), the bad guys are very vigilant.
Cybercriminals now have a low-cost, high-scalability option for conducting sophisticated phishing attacks against users of prominent online services with multi-factor authentication (MFA) enabled; however, selling EvilProxy needs verification. As more of these services begin to surface on the Dark Web, we should expect to see a rise in ATO/BEC activity and other hacks that aim to steal users' identities, especially in environments where Multi-Factor Authentication (MFA) can be readily circumvented using software like EvilProxy.
The following is a list of domains and URLs associated with the EvilProxy infrastructure compiled by Secure Blink's Threat Researchers. Post-incident communication with victims, including those from Fortune 500 firms and users of major online services, led to the mapping of some of these hosts. Information about these hosts may aid cybersecurity researchers and incident responders in detecting and attributing suspected malicious behavior to EvilProxy when investigating events involving MFA, despite the very fluid nature of bad actors' activities (2FA).