Kerio - Phishing Kit Type
#kerio #PhishingKitType #phishing #phishingkit
@IpNigh documented a phishing kit that is unique in that it references some variable names with the word "kerio" and also it creates randomly generated php files for each user browsing to it.
folder structure
\.htaccess
\api.php (just a list of banned ips and keywords)
\connect.php (uses geoplugin.net api, post variables "kerio_u" and "kerio_p")
\go.php
\home.php
\login.php
\index.php (redirects user to a copy of \home.php renamed with random strings)
\mail.php (contains the #threatactoremail)
\robots.txt
\sync.php (figures out victim's OS and Browser)
\login_files\generatedDefaults.js (references "kerio")
\login_files\loginDialog.js (references "kerio")
example 1:
md5 9d0c6c402110383c7e47b9cf7d7e5870
https://www.virustotal.com/#/file/5dabbf0073cb02eae0abbc2e931c334355b101f6443bd5410f175d5fd824ca2c/community
hxxp://savannahcoachworks-co-za[.]ga/update.zip
References
https://twitter.com/IpNigh/status/1132244069839790080
https://urlscan.io/result/ab8e6862-7425-4363-9e20-f4819f47cd51/
@IpNigh documented a phishing kit that is unique in that it references some variable names with the word "kerio" and also it creates randomly generated php files for each user browsing to it.
folder structure
\.htaccess
\api.php (just a list of banned ips and keywords)
\connect.php (uses geoplugin.net api, post variables "kerio_u" and "kerio_p")
\go.php
\home.php
\login.php
\index.php (redirects user to a copy of \home.php renamed with random strings)
\mail.php (contains the #threatactoremail)
\robots.txt
\sync.php (figures out victim's OS and Browser)
\login_files\generatedDefaults.js (references "kerio")
\login_files\loginDialog.js (references "kerio")
example 1:
md5 9d0c6c402110383c7e47b9cf7d7e5870
https://www.virustotal.com/#/file/5dabbf0073cb02eae0abbc2e931c334355b101f6443bd5410f175d5fd824ca2c/community
hxxp://savannahcoachworks-co-za[.]ga/update.zip
References
https://twitter.com/IpNigh/status/1132244069839790080
https://urlscan.io/result/ab8e6862-7425-4363-9e20-f4819f47cd51/
Comments
Post a Comment