RedirectToInbox - Phishing Kit Type
#RedirectToInbox is a #phishingkit being used to steal Microsoft passwords
The commonalities I've seen in this kit are
- Contain file named "redirecttoinbox.php"
- Targets Microsoft passwords
The "redirecttoinbox.php" file appears to have 2 variants
1.) The first variant redirects the user to a benign Word document after the password is posted.
windows.location='images/sharedFile.docx'
examples:
https://www.virustotal.com/#/file/ffee04fff010c1386f3dcc7fd3f87599b2ebcf7857f7980cb21d4b15c43fa7be/detection (from account-serv-v64[.]gq )
https://app.any.run/tasks/31eb90bb-349c-498e-8405-9e8a86371149/ (from paginasweb.consultoriaig[.]es )
2.) The second variant redirects the user to the real Microsoft login page after the password is posted.
windows.location='https://login.microsoftonline.com/...'
examples:
https://app.any.run/tasks/6040c8be-3d5c-4dd0-8ca1-41423525c1cb/ ( from www.telefonica.zbadyta[.]com )
I also found 2 instances of this kit type that were modified to target YouMail instead of Microsoft, but the Style/Theme and coloring still looked like Microsoft.
examples:
https://app.any.run/tasks/454c7f12-57aa-4018-9b7f-8f4c2aaa99a4/ ( from liberty-usa[.]co[.]il )
https://app.any.run/tasks/fef354cd-d87b-41bc-a0d5-e03879f5a681/ ( from icosyndicate[.]co )
@ActorExpose has a 3rd documented example here same concept
folder structure
\biym\submit.php (references geoiptool.com, contains #threatactoremail)
\biym\serverpasserr.php
\biym\serverpass.php
\biym\security-assurance.php
\biym\retry.php
\biym\resubmit.php (most code is duplicate of submit.php)
\biym\redirecttoinbox.php
\botdetector.php
\delete.php (purges all the files)
\index.php (does the recusrive random md5 hash folder creation)
contains text
--+ Created BY JaMiLo +---
$send = "youremail@gmail.com"; (could be the default?)
example 3:
md5 701bbd55a9e931567d4d4b663d87abb2
https://www.virustotal.com/gui/file/bd4d5c2c893372e4e97ae60807472babcfc76261af505337dcfd94158cc90185/detection
hxxp://buynutmilkbag[.]gq/
reference
https://twitter.com/ActorExpose/status/1133716094798184448
The commonalities I've seen in this kit are
- Contain file named "redirecttoinbox.php"
- Targets Microsoft passwords
The "redirecttoinbox.php" file appears to have 2 variants
1.) The first variant redirects the user to a benign Word document after the password is posted.
windows.location='images/sharedFile.docx'
examples:
https://www.virustotal.com/#/file/ffee04fff010c1386f3dcc7fd3f87599b2ebcf7857f7980cb21d4b15c43fa7be/detection (from account-serv-v64[.]gq )
https://app.any.run/tasks/31eb90bb-349c-498e-8405-9e8a86371149/ (from paginasweb.consultoriaig[.]es )
2.) The second variant redirects the user to the real Microsoft login page after the password is posted.
windows.location='https://login.microsoftonline.com/...'
examples:
https://app.any.run/tasks/6040c8be-3d5c-4dd0-8ca1-41423525c1cb/ ( from www.telefonica.zbadyta[.]com )
https://app.any.run/tasks/530b0061-51c8-482a-b09f-ce7c7554adb6/ ( from www.elevefashion[.]com )
https://app.any.run/tasks/dad0d135-9fec-4b70-91af-3f1fbbb90f42/ ( from www.pavlikeni[.]org )
https://app.any.run/tasks/37ac4b7b-31f4-42b1-b61d-389463b8d7e0/ ( from yasdpro[.]com )
I also found 2 instances of this kit type that were modified to target YouMail instead of Microsoft, but the Style/Theme and coloring still looked like Microsoft.
examples:
https://app.any.run/tasks/454c7f12-57aa-4018-9b7f-8f4c2aaa99a4/ ( from liberty-usa[.]co[.]il )
https://app.any.run/tasks/fef354cd-d87b-41bc-a0d5-e03879f5a681/ ( from icosyndicate[.]co )
@ActorExpose has a 3rd documented example here same concept
folder structure
\biym\submit.php (references geoiptool.com, contains #threatactoremail)
\biym\serverpasserr.php
\biym\serverpass.php
\biym\security-assurance.php
\biym\retry.php
\biym\resubmit.php (most code is duplicate of submit.php)
\biym\redirecttoinbox.php
\botdetector.php
\delete.php (purges all the files)
\index.php (does the recusrive random md5 hash folder creation)
contains text
--+ Created BY JaMiLo +---
$send = "youremail@gmail.com"; (could be the default?)
example 3:
md5 701bbd55a9e931567d4d4b663d87abb2
https://www.virustotal.com/gui/file/bd4d5c2c893372e4e97ae60807472babcfc76261af505337dcfd94158cc90185/detection
hxxp://buynutmilkbag[.]gq/
reference
https://twitter.com/ActorExpose/status/1133716094798184448
Comments
Post a Comment