Indeed.com Open Redirect Flaw Exploited by Phishers to Attack US Executives
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A recent phishing campaign targeting Microsoft365 accounts of senior executives in the US was seen exploiting the open redirection vulnerability in the popular job site, Indeed.com.
Discovered by researchers at Menlo Security, the campaign which started in July 2023 was seen using the EvilProxy phishing framework. This reverse proxy service enables phishers to harvest session cookies and to successfully bypass non-phishing resistant multi-factor authentication (MFA).
According to the report, the campaign was directed at C-suite and other high-ranking executives from banking and financial, insurance, property management and real estate, electronic components, and other manufacturing industries in the US.
The targeted victims were initially sent a phishing email containing a seemingly legitimate indeed.com link. When clicked, it would take the victim to a fake Microsoft login page deployed using the EvilProxy phishing-as-a-service platform.
The website, which acts as a reverse proxy, allows the actor to intercept the target’s actual requests and responses. It collects all the content dynamically from the legitimate Microsoft website and uses it to impersonate the victim and access their Microsoft365 accounts.
While investigating, the cybersecurity company confirmed the use of EvilProxy mechanism by highlighting attributions like domains hosted on Nginx servers, Microsoft’s Ajax CDN for dynamic collection of page content, etc.
‘’The reverse proxy fetches all the content that can be dynamically generated like the login pages and then acts as the adversary in the middle by intercepting the requests and responses between the victim and the legitimate site. This helps in harvesting the session cookies and this tactic can be attributed to the usage of EvilProxy Phishing kit.,’’ Menlo Security revealed.
To conclude, Menlo stated that this form of attack which initially starts from an account compromise, can result in business email compromise leading to huge financial losses. ‘’Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise where the potential impact could range from identity theft, intellectual property theft and massive financial losses.’’
BunnyLoader: Novel Feature-Rich MaaS Targets Cryptocurrencies and VPNs
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A dangerous, new malware-as-a-service is up for sale on various dark web forums. The multi-feature malware called BunnyLoader, comes laden with various functionalities, from stealing system and browser information to executing a second-stage payload.
With regular bug fixes and feature updation, the MaaS tool’s basic version is available for $250 (lifetime license). The ‘payload + stub’ version, featuring advanced anti-analysis and persistent techniques, bug fixes, database access, and more, is available for $350, revealed Zscaler ThreatLabz researchers.
Primarily written in C/C++, the tool is a fileless loader that deploys different sandbox identification and antivirus evasion techniques to avoid detection. Since its launch in early September, BunnyLoader has been enriched with more capabilities.
Its command-and-control (C2) panel allows a hacker to perform various tasks including keylogging via an integrated keylogger, deploying additional malware, remote command execution, monitoring clipboards, hijacking crypto wallet addresses, and stealing credentials.
The C2 panel also enables the threat actor to oversee the success of their campaign by providing information like, infection statistics, ongoing tasks, stealer logs, and the total number of connected and disconnected devices.
The cloud security company also revealed the functioning of BunnyLoader, by analyzing a malware sample of the MaaS tool. By creating a new registry value, the malware was able to maintain persistence, create a mutex, perform various anti-evasion checks, as well as connect with its C2 server.
When connected to the C2, the malware can exfiltrate system information like, the host system’s location, IP address, system version, administrative privileges, and anti-virus used.
In addition to monitoring and stealing from the host, the malware has modules to log credentials from different browsers, VPNs (OpenVPN & ProtonVPN), messaging applications, and cryptocurrency wallets.
All the stolen data is compressed into a ZIP archive and transferred to the threat actor controlled C2 server.
According to the researchers, the malware will continue to gain prominence in the time to come, due to its feature-rich capabilities. ‘’BunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets.’’
