Taking the bait: The modus operandi of massive social engineering waves impacting banks in Portugal in the last two years.

A massive social engineering campaign has been disseminated at least in the last two years in Portugal. The waves have impacted banking organizations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.

In this article, we will understand the modus operandi of this wide campaign, how the phishing templates are disseminated, how victims’ are triggered, dig into the details of the phishing templates and C2 server source-code, and learn how criminals are orchestrating all the operations.

 

Overview

A wide social engineering campaign affecting bank users’ in Portugal, Spain, Brazil, Mexico, Chile, the UK, and France has been disseminated and operated by Brazilian criminals at least in the last two years. Although users of many countries have been impacted, this article will focus whenever possible only on the Portuguese waves.

As documented in the past, a lot of malicious templates have been developed and updated by criminals to lure victims to share their home banking credentials on fake templates. As usual, the phishing email templates are incredibly similar to the original emails, with the exception of the content provided. Nevertheless, the campaign is not just about collecting data through a landing page: criminals are able to control every step of the infection chain, asking the victim for additional details via C2 servers in real-time. This campaign has been observed since 2019 in Portugal and is depicted in Figure 1 below.

 

Figure 1: High-level diagram of the social engineering infection chain. Victims are triggered via phishing, spear-phishing, or smishing waves, and the observed landing pages can have two distinct forms. Users’ details are collected offline or on the fly orchestration via C2 is performed by criminals.

 

Key findings

    • Criminals target victims from different countries and collect details from home banking portals and payment cards.
    • The criminals geolocated in Brazil have a list of target phone numbers and emails used to trigger victims in spear-phishing campaigns.
    • The criminals can use two different phishkits engines.
    • The compromised data can be accessed by criminals in offline mode by accessing the server where the landing page is running. The data is transferred via FTP or web pannels, and further access is performed to the banking portal.
    • On the other side, an orchestration schema in real-time can be used to control every step of the infection chain. With this mechanism in place, the infection process is as real as possible to the legitimate system. Criminals can impersonate the victims and access the legitimate service in real-time while details are requested via the fake page.

 

 

Genesis: The initial trigger

The smishing way

Everything starts with smishing (SMS) or spear-phishing campaigns (fake emails). Smishing is leveraged through a wordlist of valid and processed phone numbers acquired by criminals from other criminal groups that sell this type of content – including emails – on underground forums and Telegram or Discord channels.

Figure 2: How criminals are obtaining phone numbers and emails to trigger victims’.

 

Interesting to notice that these groups are looking for Fully Undetectable (FUD) malware to target victims. We believe this thread is related to the acquisition of the source code of the URSA trojan detailed here.

The smishing campaign is started by using SMS API services from third-party companies to release the trigger.

Figure 3: Smishing campaigns executed by criminals to target victims according to several lists grouped by countries.

 

The spear-phishing method

The spear-phishing campaigns are executed in the same way. A list of emails is acquired and a well-designed template impersonating the legitimate organizations is sent to the victims’ inbox. Figure 4 below presents some of the templates disseminated in the last weeks in Portugal.

Figure 4: Phishing email templates disseminated in Portugal during the last weeks of 2021. 

 

As usual,  the email body has hardcoded a malicious URL specially crafted by criminals via shortURL systems. The following image illustrates some malicious domains created on the bit[.]do service by criminals.

Figure 5: Short-URLs created by criminals and used in several campaigns in the wild.

 

These kinds of campaigns fully target a group of users, spear-phishing. For this, criminals perform initial triage, before directing the victim to the malicious landing page.

In detail, a redirector system accessed after clicking on the malicious link sent via email is responsible for validating whether the email passed through a URL parameter is contained in a pre-computed list, which demonstrates that phishing campaigns are totally targeted to a group of users.

This redirector is composed of the following URL path: malicious_domain/redir or malicious_domain/?cliente=xxx.

As observed below, the redirector system includes some features, namely:

    • A list of blocked domains
    • A blacklist of IP addresses; and
    • A logging mechanism to keep the victims’ details (date and hour, OS version, email, IP address, and web-browser details.

Figure 6: Black-list mechanisms and logging procedure available on the redirector system.

 

Figure 6 shows that requests from IP ranges and CIDR /32 IP addresses are blocked and the same procedure is also applied to domains and email addresses.

Digging into de details, the files “xadm.php” e “xblock.php” allow a web interaction to facilitate the block of IP addresses and email addresses. The local database is comprised of 2 TXT files  (“xblock-ip.txt” and “xblock-mail.txt”). On the other hand, the log of operations and victims’ accesses are kept in the files “xerror.txt” and “xreg.txt“.

Figure 7: File tree of the phishing redirector.

 

The used authentication mechanism is straightforward. The files are protected by a hardcoded password, and the entire procedure is carried out with the TXT files (the database), as mentioned before. Some details about the redirector source code are below.

Figure 8: Details about the authentication mechanism and TXT files that support all the redirector operations.

 

Among other highlights, the index.php file is responsible for some additional checks in order to “redirect” the victim to the final landing page.

Figure 9: Initial validation when a victim request (HTTP-request) is received.

 

Next, some extra validations are performed in order to circumvent automatic requests from cyber security systems, Internet bots, security experts, and so on. As highlighted below, the victim is then redirected to the final landing page available on another web server if the initial request matches all the steps with success.

Figure 10: Extra validations executed by the phishing redirector system – a triage process to evade automatic requests and Internet bots, security systems, etc.

 

 

Phishkits: How landing pages operate

In general, we are scrutinizing two different phishkits in this article, namely:

    • A simple landing page (without C2) with the goal of only collecting credentials to access the home banking portal and other details such as SMS tokens and bank codes; and
    • A landing page orchestrated via local C2 panel and also another huge schema with central C2 servers geolocated in Brazil.

 

 

Simplest way: a single landing page without a C2 mechanism

This type of architecture typically uses TXT files to store the victims’ data in raw format. Criminals further access servers and download details via FTP or web pannels. The landing pages are also equipped with a notification mechanism, where the feed with the victims’ data is sent to a Telegram channel or even via email by using the SMTP protocol.

Some of the landing pages observed in Portugal within this context are presented below.

Figure 11: Example of landing pages observed in Portugal during the last weeks of 2021.

 

In order to control and check the number of infections, these phishkits have embedded a victims’ log feature as demonstrated below. In this sense, criminals are able to control how many victims were infected and decide when the right moment to collect and download the data. In some cases, the access is performed via VPN services, otherwise, from residential Brazilian IP addresses.

Figure 12: 898 victims’ (accesses) were targeted in this phishkit – many of them valid accesses, and with legitimate information stored on the server and collected by criminals.

 

It’s interesting to notice the criminals do not delete the 1st infection from the logging file, every time with their residential IP address. Due to the lack observed, it’s straightforward to track the groups behind these kinds of schemas based on their geolocation (to let the cat out of the bag).

As previously mentioned, the collected data is stored inside TXT files and images with bank codes also uploaded into specific folders (left-side), and the detail can also be sent simply via email with the banking code images as attachments (right-side).

Figure 13: Example of how the victims’ details are stored on the webserver or simply sent to the criminals’ email inboxes via SMTP protocol.

 

 

Orchestration on the fly

In this section, 5 different phishkits of orchestrator systems are presented. All of them operate more or less within the same model:

    • The victim accesses the landing page; and
    • Criminals control all the steps by using a C2 panel available on the same webserver or a C2 server geolocated in Brazil.

 

Regarding this orchestration C2s, criminals are able to request details step-by-step in real-time, as illustrated below.

 

#Phishkit 1

Figure 14: Phishkit with a C2 panel available on the same server. All the data is requested step by step by operators.

 

As seen, on the same server where the phishing page is hosted, a C2 panel is included. This panel allows step-by-step control of the data requested from victims. In the image above, the dashboard and a window where the request for 3 banking card values (secret code) is made. The victims’ details are stored on the server by using a MySQL database, usually configured via the Cpanel Host Manager system.

Figure 15:  #phishkit 1 source-code details.

 

#Phishkit 2

This scenario presents a similar process as described previously. A C2 panel available in the same server is used to control the flow on the fly by operators.

Figure 16: #phishkit 2 landing page and C2 panel.

 

Malicious operators can choose what type of data they want to request, and the information is stored on a MySQL database, just like on #phiskit 1.

 

#Phishkit 3

In this phishkit, the same modus operandi is used. The data is requested in a C2 panel on the server, but this time the details are stored in TXT.

Figure 17: #phishkit 3 – landing page and C2 panel.

 

Instead of using a DBMS, this particular phishikit manages everything with TXT files. The PHP files are responsible for creating, editing, or even deleting information from the TXT files (the database of the malicious schema).

Figure 18: TXT files that stored the victims’ data in raw format. The files are accessed (and edited) from the PHP pages of the C2 panel.

 

As expected, criminals must access the webserver to download all the details.

 

#Phishkit 4

This phishkit is built differently from the previous ones. Rather than using a panel to request data in stages, it only collects the access credentials and makes automated requests to validate the credentials in real-time. In addition, the phishkit extracts information from the legitimate servers/portals in order to populate the malicious database, including the victim’s name, credit card (number, date, and CVV number), account balance, etc.

Figure 19: #phishkit 4 – landing page, C2 panel, and API details used probably to feed a C2 server in the background.

 

This phiskit uses an API that exposes the information to be collected by a C2 in the background. Next, criminals can use them to perform other tasks.

 

#Phishkit 5

The #phiskit 5 has been used at least for the last 2 years in Portugal. The landing pages are launched on newly registered domains, either on the same day the campaign is disseminated or during the night to avoid their detection. The landing pages all communicate with C2 servers geolocated in Brazil and controlled on the fly by criminals.

Figure 20 shows some of the landing pages used by criminals.

Figure 20: Landing pages used by criminals – #phishkit 5.

 

These C2 servers have ben use used in different types of campaigns around the globe, mainly to execute and control:

    • phishing campaigns via landing pages
    • infections via conventional banking malware (Windows OS); and
    • infections via malicious APK (Android banking trojan).

 

As observed below, the C2 operators can request data step-by-step via a tailored way.

Figure 21: #phishkit 5- one of the C2 servers geolocated in Brazil.

 

Notice that the “ANUBIS” operator was highlighted because the same user appeared in a very similar campaign – ANUBIS NETWORK – THE EVOLUTION OF THE PHISHING SCHEMA. This can be a clear sign that the same group is operating these C2 servers as well.

Figure 22: Similarities of the #phishkit 5 operators vs Anubis operators.

 

More details about the Anubis phishing infrastructure analysis are below.

 

Returning to this analysis, another C2 server also operated by the same group and using the same modus operandi – but with a slightly different design – was observed operating only in Latin America. Some screens are presented below.

Figure 23: C2 server operated by the same group only in Latin American countries.

 

As mentioned above, The C2 server under analysis is also used to control infections via malicious APK. The following screen is a clear indicator of that.

Figure 24: C2 server used to control malware infections via malicious Android package (APK).

 

More details about malicious APK files operated by this group are below.

 

 

The infection process using these C2 servers can be observed in the video provided below, which exemplifies how the information is requested step-by-step by the operators.

 

Another video referring to another campaign can also be viewed here.

 

The C2 servers have a MySQL database used to keep and control all the operations, and several replicas are available on different servers geolocated in Brazil.

Figure 25: #Phishkit 5 – MySQL databases and some of the available tables with target companies. 

 

In detail, C2 was developed based on a well-structured pillar, where minimal information is sent to landing pages during the infection process. Figure 26 below presents the #phishkit 5 file tree (source-code).

Figure 26: #phishkit 5: file tree.

 

As observed, this C2 server is capable of spawning new domains based on available apache .config files. The process is completely automated, allowing criminals not to waste too much time setting up new domains.

Figure 27: C2 server and its spawning mechanism to set up new phishing domains.

 

Below is presented the complete list of configuration files available in one of the C2 servers along with the targeted organizations:

2854app.com.conf
 80.211.187.13.conf
 8032.digital.conf
 83.97.20.246.conf
 account-nb.com.conf
 accountbpm.com.conf
 aplication-santander.com.conf
 app-itau.com.conf
 app-novobanco.com-le-ssl.conf
 app-novobanco.com.conf
 app.1824-account.com.conf
 app.3215-account.com.conf
 app.3453-account.com.conf
 app.3776-account.com.conf
 app.3893-account.com.conf
 app.6354-account.com.conf
 app.account-bpm.com.conf
 app.account-santa.com.conf
 app.accountbpm.com.conf
 app.activo-online.com.conf
 app.aplicativo-itau.com.conf
 app.aplicativo-millennium.com.conf
 app.aplicativo-santander.com.conf
 app.aplicativo1-itau.com.conf
 app.att-itau.com.conf
 app.bpm-account.com.conf
 app.bpm-you.com.conf
 app.bpmaccount.com.conf
 app.cadastronovobanco.com.conf
 app.chile-itau.com.conf
 app.cl-itau.com.conf
 app.euro-bic.com.conf
 app.falabella-chile.com.conf
 app.it-account.com.conf
 app.itau-aplicativo.com.conf
 app.itau-att.com.conf
 app.itau-cl.com.conf
 app.itau-sms.com.conf
 app.liber-bank.com.conf
 app.liber-spain.com.conf
 app.liber-web.com.conf
 app.lisboaportugallima.com.conf
 app.montepionet.com.conf
 app.net-ctt.com.conf
 app.novobancocadastro.com.conf
 app.novobancopt.net.conf
 app.promo-worten.com.conf
 app.retail-santanderuk.com.conf
 app.retailsantanderuk.com.conf
 app.santa-account.com.conf
 app.santa-aplication.com.conf
 app.santa-uk.com.conf
 app.santa-update.com.conf
 app.santalondon.com.conf
 app.santander-sms.com.conf
 app.santauk.com.conf
 app.santauk.info.conf
 app.seguridad-itau.com.conf
 app.sms-itau.com.conf
 app.totta-santander.com.conf
 app.uk-santa.com.conf
 app.uk-santander.com.conf
 app.update-santa.com.conf
 app.updateacount.com.conf
 app.web-liber.com.conf
 app.you-bpm.com.conf
 appitau-tarjeta.puntosarescatar.com.conf
 bcp-online.net.conf
 bcp.unic4.com.conf
 bcpupdate.com.conf
 bpm-you.com.conf
 bpm.2259-account.com.conf
 bpm.2455-account.com.conf
 bpm.2555-account.com.conf
 bpm.3596-account.com.conf
 bpm.3622-account.com.conf
 bpm.5586-account.com.conf
 bpm.9558-accout.com.conf
 bpm.9565-accout.com.conf
 bpm.add-italy.com.conf
 bpm.italy-add.com.conf
 bpmaccount.com.conf
 cadastro.bcp-online.net.conf
 cadastro.bcpupdate.com.conf
 cadastro.unic4.com.conf
 caixa.ccadastro.com.conf
 chile-itau.com.conf
 chile.itau-sms.com.conf
 download.app-firefox.com.conf
 gdfgdgg.duckdns.org.conf
 index.html
 ingresar.programatarjetasdecreditoiupp.com.conf
 itau-app.com.conf
 itau-iupptarjetadecredito.pmpmaster.com.conf
 itau-login.com.conf
 itau-mastercardblack.pmpmaster.com.conf
 itau-tarjetacredito.gloriousbuilders.com.conf
 itau-tarjetacredito.southafricanincorporations.com.conf
 itau-tarjetadecreditoepuntos.bestquranteaching.com.conf
 itau-tarjetaiupp.calmcbdbv.com.conf
 iupp.itaupuntos.com.conf
 kkklisboalina.duckdns.org.conf
 login-itau.com-le-ssl.conf
 login-itau.com.conf
 login-nb.com.conf
 login-novobanco.com.conf
 loguin-montepio.com.conf
 loguin-novobanco.com.conf
 mille.bcp-online.net.conf
 mille.unic4.com.conf
 millennium.2533-bcp.com.conf
 millennium.2596-bcp.com.conf
 millennium.8736-bcp.com.conf
 millennium.bcp-online.com.conf
 millennium.bcp-online.net.conf
 millennium.bcpsms.online.conf
 millennium.bcpupdate.com.conf
 millennium.cadastro-mm.com.conf
 millennium.mmcadastro.com.conf
 millennium.onlinebcp.net.conf
 millennium.unic4.com.conf
 millennium.upgradebcp.com.conf
 millennium1.bcpapp.eu.conf
 millennium1.bcpupdate.com.conf
 millennium2.bcpapp.eu.conf
 millennium2.bcpupdate.com.conf
 millennium3.bcpapp.eu.conf
 millennium3.bcpupdate.com.conf
 millennium4.bcpapp.eu.conf
 millennium4.bcpupdate.com.conf
 millennium5.bcpapp.eu.conf
 millennium5.bcpupdate.com.conf
 mm-cadastro.com.conf
 mmcadastro.com.conf
 montepio-app.com.conf
 montepio-loguin.com.conf
 monzo.2854app.com.conf
 monzo.4865.digital.conf
 monzo.5815.digital.conf
 monzo.6578.digital.conf
 monzo.8032.digital.conf
 monzo1.4865.digital.conf
 monzo2.4865.digital.conf
 monzo3.4865.digital.conf
 monzo4.4865.digital.conf
 mytestar.ddns.net.conf
 nb-login.com.conf
 nbway-app.com.conf
 novobanco-app.com-le-ssl.conf
 novobanco-app.com.conf
 novobanco-cashadvanced.bwnetworkus.com.conf
 novobanco-loguin.com.conf
 novobanco-pt.com.conf
 novobancoapp.com.conf
 novobanconet.com.conf
 onlinebcp.net.conf
 particulares-nb.com.conf
 prevencionitau.com.conf
 pt-novobanco.com.conf
 pt.cadastronovobanco.com.conf
 puntos-iupp.itaupunto.com.conf
 retailapp-santanderuk.com.conf
 santa-uk.com.conf
 santa.24533-account.com.conf
 santa.4564.link .conf
 santa.4564.link.conf
 santa.4564.me.conf
 santa.uk-account.com.conf
 santander.2783.online.conf
 santander.2783.work.conf
 santander.3378.me.conf
 santander.4439.me.conf
 santander.4649.digital.conf
 santander.4865.digital.conf
 santander.5128.digital.conf
 santander.5324.me.conf
 santander.5722.link.conf
 santander.5722.me.conf
 santander.6453.live.conf
 santander.6453.work.conf
 santander.73257.live .conf
 santander.73257.live.conf
 santander.73257.me.conf
 santander.73257.online.conf
 santander.cadastropt.com.conf
 santander.mobile-registrations.com.conf
 santander.registration-mobile.com.conf
 santander.uk-account.com.conf
 santander.uk-upgrade.com.conf
 santander.ukapp.site.conf
 santander.up-dateuk.com.conf
 santander.upadegb.com.conf
 santander.updateuk.site.conf
 santander1.upadegb.com.conf
 seguridad.itau-app1.com.conf
 smart-nb.com.conf
 sms-itau.com.conf
 soadtest.ddns.net.conf
 tarjetadepontos.clavantecl.com.conf
 tarjetaitau.iuppnuevospuntos.com.conf
 testimento.duckdns.org.conf
 unic4.com.conf
 useriupp.itauweb.com.conf
 userpuntos.puntoitau.com.conf
 userspuntos.puntoitau.com.conf
 www.resgatepuntos.org.conf
 you-bpm.com.conf

 

In detail, there is a blocking mechanism if C2 is accessed from an IP contained in the blacklist (Figure 28 shows only the partial IP address list).

Figure 28: Blacklist mechanism found on the C2 server. This list is used both in the C2 server and landing-page servers.

 

When criminals choose one of the following options/commands:

    • Acesso Inválido
    • Coord SMS Inválido
    • SMS Inválido
    • Coord Inválido
    • SMS Inválido
    • Anotação
    • Finaliza
    • Coordenada
    • Coord SMS
    • Pergunta
    • Pedir SMS
    • SMS Valor Inválido
    • Pergunta Inválido
    • Matriz Inválido
    • Matriz; e
    • SMS Valor

 

the files with the HTML code sent to the victim screen are loaded from the: forms directory. The complete list of files and target brands are detailed below.

forms_abanca.php
forms_activo.php
forms_azteca.php
forms_bancomer.php
forms_bancomer_emp.php
forms_banorte.php
forms_bbva_es.php
forms_bbva_es_emp.php
forms_bbva_pe.php
forms_bci.php
forms_bci_empresa.php
forms_bella.php
forms_bella_emp.php
forms_bice.php
forms_bnl.php
forms_bnp_fr.php
forms_bper.php
forms_bpi.php
forms_bpi_emp.php
forms_bpm.php
forms_bpm_emp.php
forms_caixa_es.php
forms_caixa_es_emp.php
forms_cgd.php
forms_cgd_emp.php
forms_chile.php
forms_chile_2.0.php
forms_chile_emp.php
forms_citibanamex.php
forms_cl_itau.php
forms_cl_scotia.php
forms_cl_scotia_emp.php
forms_credem.php
forms_ctt.php
forms_desco.php
forms_estado.php
forms_estado_emp.php
forms_es_ing.php
forms_eurobic.php
forms_fineco.php
forms_fr_bpost.php
forms_fr_societe.php
forms_hsbc_mx.php
forms_inter_pt.php
forms_inter_pt_emp.php
forms_intesa.php
forms_itau.php
forms_itau_emp.php
forms_liberbank.php
forms_milenium.php
forms_milenium_emp.php
forms_montepio.php
forms_montepio_emp.php
forms_mps.php
forms_n26.php
forms_nb.php
forms_nl_belfius.php
forms_poste.php
forms_pt_credito_agricola.php
forms_pt_credito_agricola_emp.php
forms_santa.php
forms_santa_emp.php
forms_santa_es.php
forms_santa_mx.php
forms_santa_pt.php
forms_santa_pt_emp.php
forms_scotia_blue.php
forms_scotia_blue_emp.php
forms_scotia_mx.php
forms_scotia_red.php
forms_scotia_red_emp.php
forms_ubibanca.php
forms_uk_mbna_off.php
forms_uk_metrobank.php
forms_uk_monzo-bkp.php
forms_uk_monzo.php
forms_uk_santa.php
forms_uk_santa_emp.php
forms_uk_santa_emp_off.php
forms_uk_santa_off.php
forms_uk_santa_off_emp.php
forms_unicredit.php
forms_webank.php
gerente_fisico.php

 

On the other way, the “gerente_”  PHP files are the orchestrators for each target brand, when the mentioned options/commands are available and coded.

Figure 29: Source code of the gerente PHP files – C2 commands.

 

Regarding the users’ permissions, the system includes two different user roles:

    • Administrator; and
    • Operators.

 

The operators have the role of managing and controlling infections, requesting data, and finalizing the malicious process. In contrast, the administrator is capable of adding new users, editing users, configuring new spawners (phishing domains), enabling more target brands, and so on. Details and part of the source code about these features are present in Figure 30.

Figure 30: #phishkit 5 administrative operations – source code.

 

 

Final Thoughts

Phishing and malware campaigns make headlines every day. Phishing scams in particular have increased in volume and sophistication in recent years, making early detection hard.

There are several groups utilizing this type of scheme and obtaining email lists, malware, and FUD codes from underground forums, that are mainly paid via cryptocurrencies (Monero and Bitcoin). Many groups operate both phishing and malware campaigns at the same time, e.g. trojan URSA seems to be also operated by the same group of the C2 server analyzed above.

In this sense, monitoring these types of IoCs is a crucial point now, as it is expected that in the coming weeks or months new infections or waves can appear.

From the Internet end users’ point of view, it’s important to equip them with strategies to fight this emerging threat and provide train in general. For instance, every time we receive an email from the bank, we need to question ourselves:

    • Can the bank ask for my secrets by email? (it’s a trap)
    • Am I in debt or do I have to pay something to the bank? (it’s a trap) … just confirm the situation, call by phone.
    • Let me check the FROM address … seems weird (it’s a trap)
    • If I click on the URL inside the email, first I need to check out the domain …probably it will not be the official one 😉 (it’s a trap again)
    • Let me check if the certification authority is the same as the official home banking platform. You will see: a trap again.

 

Last but not least, if you have doubts or find any suspicious URLs, emails, or junk, just drop us a line here, we’ll be happy to help and take a cup of coffee.

Phishing and malware URLs can also be submitted into 0xSI_f33d, a Virus Total official ingestor.

 

Thank you to all who have contributed 😉

 

 


2 Replies to “Taking the bait: The modus operandi of massive social engineering waves impacting banks in Portugal

Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *