ANUBIS phishing infrastructure: Modus operandi of a global phishing schema that impersonates several organizations in Portugal and Brazil and is ready to expand to other countries.

 

Introduction

Since the beginning of November 2020, a large-scale phishing campaign has reached organizations present mainly in Brazil and Portugal. The operation embodies homebanking portals and applications and aims to steal credentials to full-access the real systems. The schema of the malicious network relies on a central-sync server responsible for synchronizing all the data between the front-end servers; that support malicious landing pages (phishkits), and the back-end server; with a back-office installed that allows taking control of the entire operation.

Figure 1: High-level diagram of the ANUBIS phishing network and its components.

 

Campaigns of this nature are not new, and are generally composed of four crucial operating components:

  • the delivery vehicle to propagate the landing page in-the-wild; usually carried out through smishing (SMS) and phishing (email)
  • a malicious landing-page hosted on a cloud server, composed by a user interface and layout very similar to the real system
  • can have an intermediate server responsible for synchronizing all network servers (like ANUBIS network); and
  • an operation back-end that allows criminals to manage the details of users who have fallen into the trap.

 

Figure 2 presents an example of an SMS and phishing email sent to Internet end-users during the ANUBIS social engineering wave. The images are related to an impersonated Portuguese banking organization used to lure the victims.

Figure 2: Example of SMS  and email sent during the social engineering wave.

 

From domain acquisition to phishing delivery

Criminals register new domains, usually the day before the beginning of the new phishing wave. This behavior makes detections of malicious domains harder, since the interval between registration and campaign dissemination is relatively short, although many monitoring systems and EDRs are blocking domains where the creation date is not within a specific threshold (for example, 10 days).

Days or weeks before the campaign spread, the criminals had already prepared the malicious ecosystem, with the phishkits properly installed on the front-end servers. After acquiring the domain, usually during the night before the mass distribution of the target campaign, only the DNS is pointed to the server that will make the malicious landing page available to victims.

At the same time, SMS gateways from different providers are used to send SMS to a list of target users through lists obtained from other campaigns or acquired by criminals through other malicious vectors.

A lot of campaigns have been detected since mid-November using this phishing network, as shown in Figure 3, which presents some of those landing pages.

Figure 3: Examples of phishkits used between November and December 2020 by ANUBIS network operators.

 

Within the Portuguese cyberspace, there is a tool that allows monitoring this type of fake-domains based on intel and big data and also coupled with the strong contribution of the community – 0xSI_f33d. All the IOCs here presented were obtained from this feed and also submitted online.

 

A specific front-end server from ANUBIS network that impacted Portuguese Internet end-users

In mid-December 2020, a landing-page running on a front-end server of the ANUBIS phishing network impacted end-users of a specific banking organization geolocated in Portugal.

In detail, the structure and layout of the phishing pages are very similar to the legitimate pages of the target organizations, which leads many users to believe that they are using, in fact, the real system.


Figure 4:
Landing-page used in a specific campaign in Portugal (December 18th, 2020).

 

In order to lure the victims to access the malicious schema and bypass security appliances such as firewalls, antivirus, anti-spam black-lists, and EDRs, criminals are using the Content Delivery Network (CDN) Cloudflare to mask the original IP addresses, and also to provide a valid and reliable digital certificate from Cloudflare.

Figure 5: Digital certificate from Cloudflare used by malicious landing-pages.

 

All the analyzed templates’ source-code was encoded and then unescaped via JavaScript. This behavior aims to avoid its identification from systems based on detection by keywords so that the malicious scheme remains undetectable for a long period of time.

Figure 6: Landing-page source-code obfuscated and then unescaped via Javascript when the page is loaded in the clients’ web-browsers.

 

As mentioned, with this mechanism in place, bypass security appliances is possible.

 

Controlling the victim’s origin

When a victim accesses the malicious landing page, some details of the HTTP connection are collected, including its remote IP address. After that, the system executes a request to a third-party system validating the victim’s location, and checking if the obtained location is in the white-list of allowed addresses.

Figure 7: Landing-pages check if the victim’s access is in the range of allowed IP addresses.

 

Data synchronization process

Both components of the network, the landing-pages positioned on the front-end servers, and the back-office installed on the back-end server, use an intermediate synchronization server that contains a database running to maintain all the network services up to date in real-time.

The source-code presented in Figure 8 is only available and used to sync data on front-end servers. The source-code to sync data available on the back-end servers is a little bit different and analyzed towards the end of the article.


Figure 8:
Source-code from front-end servers used to synchronize all the data on the ANUBIS network.

 

In detail, each campaign contains a key registered in the database, so that the data is correctly synchronized between the different servers of the malicious ecosystem. This code is also associated with the domain registration key from Cloudflare; a process also performed by ANUBIS operators on the back-end server.

All the phishkit pages have a synchronization mechanism embedded, which allows criminals to follow the victim’s navigation step by step as presented below.

 

Figure 9: Data synchronization between front-end servers (phishkits) and intermediate server.

 

Below, we presented some images from the phishkit analyzed during this article that targeted Portuguese Internet end-users. Some data is requested during the process, namely authentication username/password details to access the banking portal, SMS token, and additional secret codes.

[Click on the images to enlarge].

Figure 10: Screenshots from the phishkit analyzed during this article and that affected Portuguese Internet end-users mid-December 2020.

 

Intermediate sync server

Looking at the intermediate sync server, it is possible to identify PHP files related to some organizations geolocated in Brazil and Portugal, and of course, that it is still an ecosystem under development by criminals.

Figure 11: Artifacts collected from the intermediate sync server.

 

In addition, this server is running a MySQL database – the heart of the network used to save and synchronize all the components of the network.

 

ANUBIS back-end: The backoffice

Criminals are controlling the entire process using a back-office portal called ANUBUS by its developers. The system is also available behind the Cloudflare CDN and it receives and sends tasks to the intermediate sync servers – a kind of command-and-control (C&C) server.

Figure 12: Authentication page of ANUBIS backoffice portal.

 

In detail, each operator in the backoffice is responsible for monitoring infections for a particular campaign – as can be seen in the image below. On the left-side, a campaign launched in Portugal, and on the right-side a campaign from Brazil.

Figure 13: Dashboard of ANUBIS backoffice portal with the victims’ status in real time.

 

By accessing each entry (victim’ infection), the operator can request additional data step by step, and in real-time. At the same time, criminals use the requested information to authenticate in the background on the legitimate portals. This is a kind of operation found in several popular Brazilian trojan bankers such as Lampion, Grandoreiro, and URSA.


Figure 14:
Page where ANUBIS operators can control the entire victim infection in real-time.

 

The ANUBIS’s operators work in specific and assigned campaigns as mentioned above. Operators can view and interact only with the attributed phishing schemas defined early in the backoffice portal as user-roles. This is seen as a kind of control access mechanism.

Figure 15: Operators of ANUBIS network.

 

The data present on the dashboard of a specific operator is obtained from the intermediate sync server based on the operator ID. This process is responsible to maintain the victims’ data up-to-date as presented below.


Figure 16:
Data synchronization between the backend and the intermediate server according to the operator ID.

 

ANUBIS – Domain management

The ANUBIS network phishing campaigns, as already mentioned, are masked through the Cloudflare CDN. Operators can easily make this configuration through an interface that uses the CloudFlare API for configuring new DNS zones.

Figure 17: Feature of adding new domains and configuring them behind the Cloudflare CDN via the ANUBIS backoffice portal.

 

The heart of the ANUBIS network is a MySQL database. This database is used for data synchronization between all components of the malicious ecosystem and maintains everything up-to-date each second.

Figure 18: Database schema of the ANUBIS phishing network.

 

Final Thoughts

Phishing campaigns are increasingly sophisticated both in the ability to bypass the security protection systems and in the way how criminals’ are operating them. The latest network-based phishing scams are able to operate almost in real-time, and with criminals in the background controlling victims’ activity until they reach their goal.

Internet end-users are an important piece within this context, as they are the real target, every time attracted to access fake pages and put their data in the tentacles of cybercriminals. To face this problem, awareness training and education on social engineering is needed as email continues to be the most powerful cyberweapon to reach victims.

On the other side, we recommend that financial institutions look at these threats closely, while improving their authentication processes, boosting anti-fraud technology and their intel data.

The 0xSI_F33d is a solution that can help you to identify this kind of schemas early. Based on cyber intel, big data, and supported by a healthy community of contributors, it contains a user-friendly API that offers integration with a great part of the security appliances available in the market.

Finally, all the details, IoCs, and important data relating to this threat are available below.

 

Indicators of Compromise (IoCs)

-- Domains front-end / 27-12-2020 --
ado-app.]com
ambienteseguromp.]com
apltocxa.]online
appdigtalcxa.]site
appion.]site
applicationcxcxapp.]digital
ban-paraonline.]app
br-login.]app
br-mercad-o.]com
cx4ff4a.]online
cxappti.]online
cxb8.]online
cxwebnt.]online
dgtwebcx.]online
digitaln-u.]com
gomercadopagar.]com
home-monte-pio.]com
home-trusted.]com
hscx.]site
infocefsslseguro.]com
informativ-o-seg.]com
login.br-mercad-o.]com
login.cxwebnt.]online
login.merc-ado-app.]com
login.merca-dobrazilsite.]com
login.merca-doel-ibre.]com
login.portal-merc-ado.]com
login.web-mercado.]com
merca-doel-ibre.]com
mercado-securit.]com
mercado-site.]com
pago-app.]com
para-acesso.]app
para-login.]app
porta-lstone.]com
portal-usuario.]com
protocolosslinternet.]com
so-ustone.]com
sslcxbr.]site
upb-itwebsite.]com
wacx.]online
website-me-rcado.]com
cxonlineb.]com
loginxkl-web.]com
onlineappcef.]com
mercadopagofinaldeano.]com
onlineappcef.]com
mercadopagolog.]com

-- Domain / IP address intermediate sync server --
doc-me.]online
151.106.104.]245

-- Domain back-end server / ANUBIS backoffice portal --
171.anubis171.]com

-- Operators email address --
[email protected]]com
[email protected]]com
[email protected]]host
[email protected]]com
[email protected]]host
[email protected]]host
[email protected]]com.br
[email protected]]host
[email protected]]host
[email protected]]host
[email protected]]host
[email protected]]com.br
[email protected]]com.br
[email protected]].com
[email protected]].com
[email protected]]host