ShadowZ118 Paypal Phishing Kit CAZANOVA with Kit Author Backdoor

Today we'll take a peak at this Paypal Phishing kit by ShadowZ118 marked CAZANOVA.  TLDR; this phishing kit has a backdoor email sent that actually allows the phishing kit author to steal the stolen password from the malicious script kiddie who purchased the phishing kit and intended to steal passwords from victims.

https://www.virustotal.com/gui/file/821cede87f899fee9675c2e05cec7520678bd065bbb2557b9f5a70e9b49a8032/detection

md5 11afa9d469737c5e6fe3fff6332b182d


The following phishing kit is a stripped down simpler version of the XVerginia by ShadowZ118 that we saw on this other blog post

https://phishingkittracker.blogspot.com/2020/04/xverginia-by-shadowz118.html

Inside the phishing kit is a robots.txt to try to prevent search engines from crawling and indexing this site.


There are 2 log text files that may get filled depending on how the attacker configures the site.  The index.php is where it all starts as that's the default php page that will get loaded when a victim lands on the site.


The index.php starts with some anti-security researcher/anti-search engine code to prevent certain good guys from accessing or indexing the website.

At the bottom of the index.php page is where you see code that is similar to the ShadowZ118 kit linked above. It will generate a random sub folder, in this instance inside a "customer_center" sub folder, for each unique victim.  it copies the contents of the CAZANOVA default kit folder to the new random sub folder.
The rest is real similar to the ShadowZ118 blog posting mentioned above.  The custom_center random sub folder's index.php will redirect the user to the myaccount/sign-in page.
And before it does that it will also get the ip address using "get_ip.php" and make calls to "ip-api.com" to get the country the victim is located in
The myaccount\sign-in index.php page has a bunch of anti-security researcher php includes that they refer to as BOTS
But they check for all kinds of things including security tools like Phish Tank to return a 404 page instead of actually returning the cred phishing victim page
One thing that is unique about this phishing kit page is that it is not posting the stolen password to a separate php page.  Instead you'll notice the action="" field is empty meaning it posts the stolen password back to this same exact page ...eg. this page just reloads once the victim hits submit
But the password is still stolen. As you can see below on the myaccount\sign-in page it checks for the stolen password http post variable, and if that exists, then it includes an extra file called LOG.php which happens to do the dirty work.

If you open LOG.php you see that the threat actor is building an email, including the user's ip, password, username, etc. and sending it to themself.  You'll notice at top their is an include to an EMAIL.php file which is where the script kiddie that bought the CAZANOVA phishing kit can put their email address in.
In this case the threat actor email address drop account receiving the stolen passwords is zakoo20133[@]gmail[.]com

But this phishing kit author is actually eviler than that, they include a backdoor'd hidden 2nd email that all stolen passwords are sent to, so the script kiddie purchasing this kit is actually getting scammed out because the kit author steals the password as well.  Notice at the bottom of LOG.php above that there are actually 2 "mail" statements.  This is a quick sign that there is a backdoor'd 2nd email being sent to the kit author.  You have to scrounge around the other PHP files including get_bin.php to find the actual kit author's backdoor'd email account.  You see below here that if you print out all those variables and unscramble it's actually something "@yahoo.fr"



And if you return to LOG.php you see the 2nd "mail" statement is sending an email to an email being built that ends with that "@yahoo.fr" ending variable.
Now you have to go to get_browser.php to find the $browser and $versionx hidden variables.
The final backdoor kit auth email ends up being
         zakoo20122[@]yahoo[.]fr

Update: it's possible this isn't a backdoor, but more of an attempt to hide/trick security researchers into thinking they took down the correct email address when in fact the threat actor has 2 emails for redundancy.

Comments

Popular Posts