#ConnectIDX #PhishingKitType #phishing #phishingkit
The ConnectIDX Phishing kit may target Microsoft products.
has files like
\.htaccess
\blocker.php
\connectID.php
\connectIDX.php
\forward.php
\login.php
may have a subfolder with seemingly duplicated files
\source
\source\files (contains images and icons)
the file connectID.php
references
forward.php
which contains the #threatactoremail
index.php and forward.php
may reference
blocker.php
connectID.php & connectIDX.php may contain this text
// This is an ugly hack until there is a reliable ondomready function
Th@ w@s yOur LOG : SeNt tO
index.php may have code to recursively generate random sub-folders
$randoms=rand(0,100);
$md5=md5($randoms);
$base=base64_encode($md5);
$dst="cmd-login=".md5("$base");
function recurse_copy($src,$dst) {
$dir = opendir($src);
@mkdir($dst);
thus urls may end like this
.../cmd-login=870dcac37e414745bc4bf25f50508247/3ncbu4q5rbt4tn7lrq1wu914.php?...
some files have HTML comments that reference the knockout conditional comment ("ko if:")
example 1
http://outlook-office.tokoaudio.co.id/2019OUTLOOK.zip
https://www.virustotal.com/#/file/27696c1d68f45c5c25d7bde25a8148a10ac73be3152f7742af5f46821ee6ac9e/detection
ba2b9fcd878cc0cc1b7b76dc3e3736f3
example 2
https://github.com/packetrat/phishing-kits-I-found/tree/master/1184577
example 3
md5 814aee897d1a6c0259b600fcf7a67aaa
https://www.virustotal.com/#/file/b76e78239064a292ff356d23a22eab1e503e792eb30603ed624b3c6051e1980b/detection
http://anhast.ga/bin/2018NORMOFFICEv2.zip
example 4
md5 67269215ad587b280f1c2b533a1f6928
https://www.virustotal.com/#/file/5922f1323fd8d4e7f785cb12682e9e10acf545c5ab92c34f197e68b4a94cd900/detection
http://rgho.st/8fKN5L5H9
more examples
https://www.pxintelligence.com/snapshots/31519/
https://www.pxintelligence.com/snapshots/13968/
rgho.st/8fKN5L5H9
Comments
Post a Comment