Quota Multi Language - Phishing Kit Type

#QuotaMultiLanguage #PhishingKitType #phishing #phishingkit

@smica83 documented a phishing mail for Email Quota exceeded that was multi-language (one php file per language) and said "Created by Machine"


folder structure
\china.php
\english.php
\french.php
\german.php
\korea.php
\spanish.php
\go.php
\process.php
\send.php

lots of html is javascript encoded like this
   document.write(unescape('%3c%2f%66%6f%72%6d%3e%....
 
nearly all php files start with these 2 php functions
   function getloginIDFromlogin($email)
   function getDomainFromEmail($email)

send.php contains #threatactoremail and text
=================Scripted by Machine==================
and it references this url
  <a href='http://whoer.net/check?host=$ip'
and this url
  http://www.geoplugin.net/json.gp?ip=".$ip

 

example 1:
md5 5298ad9d5def275161bb44a44951d2d5
https://www.virustotal.com/gui/file/5645d2cf2089aa72363514617a2d25e7a99c4407a969cedb5ed15715db4d3e3d/detection
hxxps://hiddern[.]gq/dex/pagestole.zip


Reference
https://twitter.com/smica83/status/1133591070036635648