A massive social engineering campaign has been disseminated at least in the last two years in Portugal. The waves have impacted banking organizations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.
In this article, we will understand the modus operandi of this wide campaign, how the phishing templates are disseminated, how victims’ are triggered, dig into the details of the phishing templates and C2 server source-code, and learn how criminals are orchestrating all the operations.
A wide social engineering campaign affecting bank users’ in Portugal, Spain, Brazil, Mexico, Chile, the UK, and France has been disseminated and operated by Brazilian criminals at least in the last two years. Although users of many countries have been impacted, this article will focus whenever possible only on the Portuguese waves.
As documented in the past, a lot of malicious templates have been developed and updated by criminals to lure victims to share their home banking credentials on fake templates. As usual, the phishing email templates are incredibly similar to the original emails, with the exception of the content provided. Nevertheless, the campaign is not just about collecting data through a landing page: criminals are able to control every step of the infection chain, asking the victim for additional details via C2 servers in real-time. This campaign has been observed since 2019 in Portugal and is depicted in Figure 1 below.
Figure 1: High-level diagram of the social engineering infection chain. Victims are triggered via phishing, spear-phishing, or smishing waves, and the observed landing pages can have two distinct forms. Users’ details are collected offline or on the fly orchestration via C2 is performed by criminals.
- Criminals target victims from different countries and collect details from home banking portals and payment cards.
- The criminals geolocated in Brazil have a list of target phone numbers and emails used to trigger victims in spear-phishing campaigns.
- The criminals can use two different phishkits engines.
- The compromised data can be accessed by criminals in offline mode by accessing the server where the landing page is running. The data is transferred via FTP or web pannels, and further access is performed to the banking portal.
- On the other side, an orchestration schema in real-time can be used to control every step of the infection chain. With this mechanism in place, the infection process is as real as possible to the legitimate system. Criminals can impersonate the victims and access the legitimate service in real-time while details are requested via the fake page.
Genesis: The initial trigger
The smishing way
Everything starts with smishing (SMS) or spear-phishing campaigns (fake emails). Smishing is leveraged through a wordlist of valid and processed phone numbers acquired by criminals from other criminal groups that sell this type of content – including emails – on underground forums and Telegram or Discord channels.
Figure 2: How criminals are obtaining phone numbers and emails to trigger victims’.
Interesting to notice that these groups are looking for Fully Undetectable (FUD) malware to target victims. We believe this thread is related to the acquisition of the source code of the URSA trojan detailed here.
The smishing campaign is started by using SMS API services from third-party companies to release the trigger.
Figure 3: Smishing campaigns executed by criminals to target victims according to several lists grouped by countries.
The spear-phishing method
The spear-phishing campaigns are executed in the same way. A list of emails is acquired and a well-designed template impersonating the legitimate organizations is sent to the victims’ inbox. Figure 4 below presents some of the templates disseminated in the last weeks in Portugal.
Figure 4: Phishing email templates disseminated in Portugal during the last weeks of 2021.
As usual, the email body has hardcoded a malicious URL specially crafted by criminals via shortURL systems. The following image illustrates some malicious domains created on the bit[.]do service by criminals.
Figure 5: Short-URLs created by criminals and used in several campaigns in the wild.
These kinds of campaigns fully target a group of users, spear-phishing. For this, criminals perform initial triage, before directing the victim to the malicious landing page.
In detail, a redirector system accessed after clicking on the malicious link sent via email is responsible for validating whether the email passed through a URL parameter is contained in a pre-computed list, which demonstrates that phishing campaigns are totally targeted to a group of users.
This redirector is composed of the following URL path: malicious_domain/redir or malicious_domain/?cliente=xxx.
As observed below, the redirector system includes some features, namely:
- A list of blocked domains
- A blacklist of IP addresses; and
- A logging mechanism to keep the victims’ details (date and hour, OS version, email, IP address, and web-browser details.
Figure 6: Black-list mechanisms and logging procedure available on the redirector system.
Figure 6 shows that requests from IP ranges and CIDR /32 IP addresses are blocked and the same procedure is also applied to domains and email addresses.
Digging into de details, the files “xadm.php” e “xblock.php” allow a web interaction to facilitate the block of IP addresses and email addresses. The local database is comprised of 2 TXT files (“xblock-ip.txt” and “xblock-mail.txt”). On the other hand, the log of operations and victims’ accesses are kept in the files “xerror.txt” and “xreg.txt“.
Figure 7: File tree of the phishing redirector.
The used authentication mechanism is straightforward. The files are protected by a hardcoded password, and the entire procedure is carried out with the TXT files (the database), as mentioned before. Some details about the redirector source code are below.
Figure 8: Details about the authentication mechanism and TXT files that support all the redirector operations.
Among other highlights, the index.php file is responsible for some additional checks in order to “redirect” the victim to the final landing page.
Figure 9: Initial validation when a victim request (HTTP-request) is received.
Next, some extra validations are performed in order to circumvent automatic requests from cyber security systems, Internet bots, security experts, and so on. As highlighted below, the victim is then redirected to the final landing page available on another web server if the initial request matches all the steps with success.
Figure 10: Extra validations executed by the phishing redirector system – a triage process to evade automatic requests and Internet bots, security systems, etc.
Phishkits: How landing pages operate
In general, we are scrutinizing two different phishkits in this article, namely:
- A simple landing page (without C2) with the goal of only collecting credentials to access the home banking portal and other details such as SMS tokens and bank codes; and
- A landing page orchestrated via local C2 panel and also another huge schema with central C2 servers geolocated in Brazil.
Simplest way: a single landing page without a C2 mechanism
This type of architecture typically uses TXT files to store the victims’ data in raw format. Criminals further access servers and download details via FTP or web pannels. The landing pages are also equipped with a notification mechanism, where the feed with the victims’ data is sent to a Telegram channel or even via email by using the SMTP protocol.
Some of the landing pages observed in Portugal within this context are presented below.
Figure 11: Example of landing pages observed in Portugal during the last weeks of 2021.
In order to control and check the number of infections, these phishkits have embedded a victims’ log feature as demonstrated below. In this sense, criminals are able to control how many victims were infected and decide when the right moment to collect and download the data. In some cases, the access is performed via VPN services, otherwise, from residential Brazilian IP addresses.
Figure 12: 898 victims’ (accesses) were targeted in this phishkit – many of them valid accesses, and with legitimate information stored on the server and collected by criminals.
It’s interesting to notice the criminals do not delete the 1st infection from the logging file, every time with their residential IP address. Due to the lack observed, it’s straightforward to track the groups behind these kinds of schemas based on their geolocation (to let the cat out of the bag).
As previously mentioned, the collected data is stored inside TXT files and images with bank codes also uploaded into specific folders (left-side), and the detail can also be sent simply via email with the banking code images as attachments (right-side).
Figure 13: Example of how the victims’ details are stored on the webserver or simply sent to the criminals’ email inboxes via SMTP protocol.
Orchestration on the fly
In this section, 5 different phishkits of orchestrator systems are presented. All of them operate more or less within the same model:
- The victim accesses the landing page; and
- Criminals control all the steps by using a C2 panel available on the same webserver or a C2 server geolocated in Brazil.
Regarding this orchestration C2s, criminals are able to request details step-by-step in real-time, as illustrated below.
Figure 14: Phishkit with a C2 panel available on the same server. All the data is requested step by step by operators.
As seen, on the same server where the phishing page is hosted, a C2 panel is included. This panel allows step-by-step control of the data requested from victims. In the image above, the dashboard and a window where the request for 3 banking card values (secret code) is made. The victims’ details are stored on the server by using a MySQL database, usually configured via the Cpanel Host Manager system.
Figure 15: #phishkit 1 source-code details.
This scenario presents a similar process as described previously. A C2 panel available in the same server is used to control the flow on the fly by operators.
Figure 16: #phishkit 2 landing page and C2 panel.
Malicious operators can choose what type of data they want to request, and the information is stored on a MySQL database, just like on #phiskit 1.
In this phishkit, the same modus operandi is used. The data is requested in a C2 panel on the server, but this time the details are stored in TXT.
Figure 17: #phishkit 3 – landing page and C2 panel.
Instead of using a DBMS, this particular phishikit manages everything with TXT files. The PHP files are responsible for creating, editing, or even deleting information from the TXT files (the database of the malicious schema).
Figure 18: TXT files that stored the victims’ data in raw format. The files are accessed (and edited) from the PHP pages of the C2 panel.
As expected, criminals must access the webserver to download all the details.
This phishkit is built differently from the previous ones. Rather than using a panel to request data in stages, it only collects the access credentials and makes automated requests to validate the credentials in real-time. In addition, the phishkit extracts information from the legitimate servers/portals in order to populate the malicious database, including the victim’s name, credit card (number, date, and CVV number), account balance, etc.
Figure 19: #phishkit 4 – landing page, C2 panel, and API details used probably to feed a C2 server in the background.
This phiskit uses an API that exposes the information to be collected by a C2 in the background. Next, criminals can use them to perform other tasks.
The #phiskit 5 has been used at least for the last 2 years in Portugal. The landing pages are launched on newly registered domains, either on the same day the campaign is disseminated or during the night to avoid their detection. The landing pages all communicate with C2 servers geolocated in Brazil and controlled on the fly by criminals.
Figure 20 shows some of the landing pages used by criminals.
Figure 20: Landing pages used by criminals – #phishkit 5.
These C2 servers have ben use used in different types of campaigns around the globe, mainly to execute and control:
- phishing campaigns via landing pages
- infections via conventional banking malware (Windows OS); and
- infections via malicious APK (Android banking trojan).
As observed below, the C2 operators can request data step-by-step via a tailored way.
Figure 21: #phishkit 5- one of the C2 servers geolocated in Brazil.
Notice that the “ANUBIS” operator was highlighted because the same user appeared in a very similar campaign – ANUBIS NETWORK – THE EVOLUTION OF THE PHISHING SCHEMA. This can be a clear sign that the same group is operating these C2 servers as well.
Figure 22: Similarities of the #phishkit 5 operators vs Anubis operators.
More details about the Anubis phishing infrastructure analysis are below.
Returning to this analysis, another C2 server also operated by the same group and using the same modus operandi – but with a slightly different design – was observed operating only in Latin America. Some screens are presented below.
Figure 23: C2 server operated by the same group only in Latin American countries.
As mentioned above, The C2 server under analysis is also used to control infections via malicious APK. The following screen is a clear indicator of that.
Seems targeting Portugal @banco_bpi‘s customers.
C2 panel is named “Operador MIB 1.0” – it has BR connections.
cc @LukasStefanko @virqdroid pic.twitter.com/vuV5rqinX0
— MalwareHunterTeam (@malwrhunterteam) April 15, 2020
Figure 24: C2 server used to control malware infections via malicious Android package (APK).
More details about malicious APK files operated by this group are below.
The infection process using these C2 servers can be observed in the video provided below, which exemplifies how the information is requested step-by-step by the operators.
Another video referring to another campaign can also be viewed here.
The C2 servers have a MySQL database used to keep and control all the operations, and several replicas are available on different servers geolocated in Brazil.
Figure 25: #Phishkit 5 – MySQL databases and some of the available tables with target companies.
In detail, C2 was developed based on a well-structured pillar, where minimal information is sent to landing pages during the infection process. Figure 26 below presents the #phishkit 5 file tree (source-code).
Figure 26: #phishkit 5: file tree.
As observed, this C2 server is capable of spawning new domains based on available apache .config files. The process is completely automated, allowing criminals not to waste too much time setting up new domains.
Figure 27: C2 server and its spawning mechanism to set up new phishing domains.
Below is presented the complete list of configuration files available in one of the C2 servers along with the targeted organizations:
2854app.com.conf 22.214.171.124.conf 8032.digital.conf 126.96.36.199.conf account-nb.com.conf accountbpm.com.conf aplication-santander.com.conf app-itau.com.conf app-novobanco.com-le-ssl.conf app-novobanco.com.conf app.1824-account.com.conf app.3215-account.com.conf app.3453-account.com.conf app.3776-account.com.conf app.3893-account.com.conf app.6354-account.com.conf app.account-bpm.com.conf app.account-santa.com.conf app.accountbpm.com.conf app.activo-online.com.conf app.aplicativo-itau.com.conf app.aplicativo-millennium.com.conf app.aplicativo-santander.com.conf app.aplicativo1-itau.com.conf app.att-itau.com.conf app.bpm-account.com.conf app.bpm-you.com.conf app.bpmaccount.com.conf app.cadastronovobanco.com.conf app.chile-itau.com.conf app.cl-itau.com.conf app.euro-bic.com.conf app.falabella-chile.com.conf app.it-account.com.conf app.itau-aplicativo.com.conf app.itau-att.com.conf app.itau-cl.com.conf app.itau-sms.com.conf app.liber-bank.com.conf app.liber-spain.com.conf app.liber-web.com.conf app.lisboaportugallima.com.conf app.montepionet.com.conf app.net-ctt.com.conf app.novobancocadastro.com.conf app.novobancopt.net.conf app.promo-worten.com.conf app.retail-santanderuk.com.conf app.retailsantanderuk.com.conf app.santa-account.com.conf app.santa-aplication.com.conf app.santa-uk.com.conf app.santa-update.com.conf app.santalondon.com.conf app.santander-sms.com.conf app.santauk.com.conf app.santauk.info.conf app.seguridad-itau.com.conf app.sms-itau.com.conf app.totta-santander.com.conf app.uk-santa.com.conf app.uk-santander.com.conf app.update-santa.com.conf app.updateacount.com.conf app.web-liber.com.conf app.you-bpm.com.conf appitau-tarjeta.puntosarescatar.com.conf bcp-online.net.conf bcp.unic4.com.conf bcpupdate.com.conf bpm-you.com.conf bpm.2259-account.com.conf bpm.2455-account.com.conf bpm.2555-account.com.conf bpm.3596-account.com.conf bpm.3622-account.com.conf bpm.5586-account.com.conf bpm.9558-accout.com.conf bpm.9565-accout.com.conf bpm.add-italy.com.conf bpm.italy-add.com.conf bpmaccount.com.conf cadastro.bcp-online.net.conf cadastro.bcpupdate.com.conf cadastro.unic4.com.conf caixa.ccadastro.com.conf chile-itau.com.conf chile.itau-sms.com.conf download.app-firefox.com.conf gdfgdgg.duckdns.org.conf index.html ingresar.programatarjetasdecreditoiupp.com.conf itau-app.com.conf itau-iupptarjetadecredito.pmpmaster.com.conf itau-login.com.conf itau-mastercardblack.pmpmaster.com.conf itau-tarjetacredito.gloriousbuilders.com.conf itau-tarjetacredito.southafricanincorporations.com.conf itau-tarjetadecreditoepuntos.bestquranteaching.com.conf itau-tarjetaiupp.calmcbdbv.com.conf iupp.itaupuntos.com.conf kkklisboalina.duckdns.org.conf login-itau.com-le-ssl.conf login-itau.com.conf login-nb.com.conf login-novobanco.com.conf loguin-montepio.com.conf loguin-novobanco.com.conf mille.bcp-online.net.conf mille.unic4.com.conf millennium.2533-bcp.com.conf millennium.2596-bcp.com.conf millennium.8736-bcp.com.conf millennium.bcp-online.com.conf millennium.bcp-online.net.conf millennium.bcpsms.online.conf millennium.bcpupdate.com.conf millennium.cadastro-mm.com.conf millennium.mmcadastro.com.conf millennium.onlinebcp.net.conf millennium.unic4.com.conf millennium.upgradebcp.com.conf millennium1.bcpapp.eu.conf millennium1.bcpupdate.com.conf millennium2.bcpapp.eu.conf millennium2.bcpupdate.com.conf millennium3.bcpapp.eu.conf millennium3.bcpupdate.com.conf millennium4.bcpapp.eu.conf millennium4.bcpupdate.com.conf millennium5.bcpapp.eu.conf millennium5.bcpupdate.com.conf mm-cadastro.com.conf mmcadastro.com.conf montepio-app.com.conf montepio-loguin.com.conf monzo.2854app.com.conf monzo.4865.digital.conf monzo.5815.digital.conf monzo.6578.digital.conf monzo.8032.digital.conf monzo1.4865.digital.conf monzo2.4865.digital.conf monzo3.4865.digital.conf monzo4.4865.digital.conf mytestar.ddns.net.conf nb-login.com.conf nbway-app.com.conf novobanco-app.com-le-ssl.conf novobanco-app.com.conf novobanco-cashadvanced.bwnetworkus.com.conf novobanco-loguin.com.conf novobanco-pt.com.conf novobancoapp.com.conf novobanconet.com.conf onlinebcp.net.conf particulares-nb.com.conf prevencionitau.com.conf pt-novobanco.com.conf pt.cadastronovobanco.com.conf puntos-iupp.itaupunto.com.conf retailapp-santanderuk.com.conf santa-uk.com.conf santa.24533-account.com.conf santa.4564.link .conf santa.4564.link.conf santa.4564.me.conf santa.uk-account.com.conf santander.2783.online.conf santander.2783.work.conf santander.3378.me.conf santander.4439.me.conf santander.4649.digital.conf santander.4865.digital.conf santander.5128.digital.conf santander.5324.me.conf santander.5722.link.conf santander.5722.me.conf santander.6453.live.conf santander.6453.work.conf santander.73257.live .conf santander.73257.live.conf santander.73257.me.conf santander.73257.online.conf santander.cadastropt.com.conf santander.mobile-registrations.com.conf santander.registration-mobile.com.conf santander.uk-account.com.conf santander.uk-upgrade.com.conf santander.ukapp.site.conf santander.up-dateuk.com.conf santander.upadegb.com.conf santander.updateuk.site.conf santander1.upadegb.com.conf seguridad.itau-app1.com.conf smart-nb.com.conf sms-itau.com.conf soadtest.ddns.net.conf tarjetadepontos.clavantecl.com.conf tarjetaitau.iuppnuevospuntos.com.conf testimento.duckdns.org.conf unic4.com.conf useriupp.itauweb.com.conf userpuntos.puntoitau.com.conf userspuntos.puntoitau.com.conf www.resgatepuntos.org.conf you-bpm.com.conf
In detail, there is a blocking mechanism if C2 is accessed from an IP contained in the blacklist (Figure 28 shows only the partial IP address list).
Figure 28: Blacklist mechanism found on the C2 server. This list is used both in the C2 server and landing-page servers.
When criminals choose one of the following options/commands:
- Acesso Inválido
- Coord SMS Inválido
- SMS Inválido
- Coord Inválido
- SMS Inválido
- Coord SMS
- Pedir SMS
- SMS Valor Inválido
- Pergunta Inválido
- Matriz Inválido
- Matriz; e
- SMS Valor
the files with the HTML code sent to the victim screen are loaded from the: forms directory. The complete list of files and target brands are detailed below.
forms_abanca.php forms_activo.php forms_azteca.php forms_bancomer.php forms_bancomer_emp.php forms_banorte.php forms_bbva_es.php forms_bbva_es_emp.php forms_bbva_pe.php forms_bci.php forms_bci_empresa.php forms_bella.php forms_bella_emp.php forms_bice.php forms_bnl.php forms_bnp_fr.php forms_bper.php forms_bpi.php forms_bpi_emp.php forms_bpm.php forms_bpm_emp.php forms_caixa_es.php forms_caixa_es_emp.php forms_cgd.php forms_cgd_emp.php forms_chile.php forms_chile_2.0.php forms_chile_emp.php forms_citibanamex.php forms_cl_itau.php forms_cl_scotia.php forms_cl_scotia_emp.php forms_credem.php forms_ctt.php forms_desco.php forms_estado.php forms_estado_emp.php forms_es_ing.php forms_eurobic.php forms_fineco.php forms_fr_bpost.php forms_fr_societe.php forms_hsbc_mx.php forms_inter_pt.php forms_inter_pt_emp.php forms_intesa.php forms_itau.php forms_itau_emp.php forms_liberbank.php forms_milenium.php forms_milenium_emp.php forms_montepio.php forms_montepio_emp.php forms_mps.php forms_n26.php forms_nb.php forms_nl_belfius.php forms_poste.php forms_pt_credito_agricola.php forms_pt_credito_agricola_emp.php forms_santa.php forms_santa_emp.php forms_santa_es.php forms_santa_mx.php forms_santa_pt.php forms_santa_pt_emp.php forms_scotia_blue.php forms_scotia_blue_emp.php forms_scotia_mx.php forms_scotia_red.php forms_scotia_red_emp.php forms_ubibanca.php forms_uk_mbna_off.php forms_uk_metrobank.php forms_uk_monzo-bkp.php forms_uk_monzo.php forms_uk_santa.php forms_uk_santa_emp.php forms_uk_santa_emp_off.php forms_uk_santa_off.php forms_uk_santa_off_emp.php forms_unicredit.php forms_webank.php gerente_fisico.php
On the other way, the “gerente_” PHP files are the orchestrators for each target brand, when the mentioned options/commands are available and coded.
Figure 29: Source code of the gerente PHP files – C2 commands.
Regarding the users’ permissions, the system includes two different user roles:
- Administrator; and
The operators have the role of managing and controlling infections, requesting data, and finalizing the malicious process. In contrast, the administrator is capable of adding new users, editing users, configuring new spawners (phishing domains), enabling more target brands, and so on. Details and part of the source code about these features are present in Figure 30.
Figure 30: #phishkit 5 administrative operations – source code.
Phishing and malware campaigns make headlines every day. Phishing scams in particular have increased in volume and sophistication in recent years, making early detection hard.
There are several groups utilizing this type of scheme and obtaining email lists, malware, and FUD codes from underground forums, that are mainly paid via cryptocurrencies (Monero and Bitcoin). Many groups operate both phishing and malware campaigns at the same time, e.g. trojan URSA seems to be also operated by the same group of the C2 server analyzed above.
In this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new infections or waves can appear.
From the Internet end users’ point of view, it’s important to equip them with strategies to fight this emerging threat and provide train in general. For instance, every time we receive an email from the bank, we need to question ourselves:
- Can the bank ask for my secrets by email? (it’s a trap)
- Am I in debt or do I have to pay something to the bank? (it’s a trap) … just confirm the situation, call by phone.
- Let me check the FROM address … seems weird (it’s a trap)
- If I click on the URL inside the email, first I need to check out the domain …probably it will not be the official one 😉 (it’s a trap again)
- Let me check if the certification authority is the same as the official home banking platform. You will see: a trap again.
Last but not least, if you have doubts or find any suspicious URLs, emails, or junk, just drop us a line here, we’ll be happy to help and take a cup of coffee.
Phishing and malware URLs can also be submitted into 0xSI_f33d, a Virus Total official ingestor.
Thank you to all who have contributed 😉
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.