EvilProxy Phishing Kit

Infosec researchers have noticed an alarming trend of fraud-related actors progressively utilizing a Phishing-as-a-Service (PhaaS) toolkit named EvilProxy. The malware is being deployed as a way to orchestrate account takeover attacks with a specific focus on executives in prominent organizations.

Such an attack campaign has been observed employing a hybrid strategy that capitalizes on the functionalities of the EvilProxy toolkit. The objective is to target a substantial number of Microsoft 365 user accounts, culminating in the distribution of approximately 120,000 phishing emails across a multitude of organizations worldwide within the timeframe of March to June 2023.

Significantly, among the numerous compromised users, nearly 39% are identified as C-level executives. This comprises CEOs constituting 9% and CFOs accounting for 17%. These attacks also concentrate on personnel who possess access to sensitive financial resources or critical information. Impressively, no less than 35% of all compromised users had opted for supplementary layers of account security.

Cybersecurity experts indicate that these orchestrated campaigns are a direct response to the heightened implementation of multi-factor authentication (MFA) within enterprises. Consequently, threat actors have adapted their strategies to surmount the new security barriers by incorporating adversary-in-the-middle (AitM) phishing kits. These kits are devised to capture credentials, session cookies, and one-time passwords, thereby allowing the attackers to discern, in real-time, whether a phished user is of high-level importance. This precise identification enables the attackers to swiftly gain access to the account, focusing their efforts on lucrative targets while disregarding less valuable profiles.

Phishing Kits Like EvilProxy Allow Lower-Skilled Cybercriminals To Carry Out Sophisticated Attacks

EvilProxy was initially reported by researchers in September 2022 when they unveiled its capability to compromise user accounts associated with various prominent platforms, including Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others. This toolkit is marketed as a subscription service, available at a base rate of $400 per month. However, the cost can escalate to $600 for targeting Google accounts, reflecting the higher value associated with those credentials.

Phishing-as-a-Service (PhaaS) toolkits represent a notable evolution in the cybercrime landscape, effectively reducing the entry barriers for less technically skilled criminals. This evolution enables the execution of sophisticated phishing attacks on a large scale, all while maintaining a seamless and cost-efficient approach.

The availability of threats with such straightforward and budget-friendly interfaces has resulted in a significant upsurge in successful multi-factor authentication (MFA) phishing activities. This trend signifies a shift in the tactics employed by cybercriminals, allowing them to efficiently exploit the vulnerabilities of MFA systems and amplify the scale of their attacks.

EvilProxy Threat Actors Use Fraudulent Emails to Lure Unsuspecting Victims

The recorded attack operations begin with the distribution of phishing emails that adopt the guise of trusted services like Adobe and DocuSign. This deceitful approach is aimed at luring recipients into interacting with malicious URLs found within the emails. Once these URLs are clicked, a multi-stage redirection sequence is triggered. The goal is to take the target towards a Microsoft 365 lookalike login page, cleverly designed to mimic the authentic portal. The counterfeit login page acts as a reverse proxy, discretely capturing the information submitted through the form.

A notable element within this campaign is its deliberate exclusion of user traffic originating from Turkish IP addresses. This particular traffic is redirected to legitimate websites, hinting at the possibility that the campaign orchestrators may have their origins in that country.

Once a successful account takeover is achieved, the threat actors proceed to establish a firm foothold within the organization's cloud environment. This is accomplished by introducing their own multi-factor authentication (MFA) method, such as a two-factor authenticator app. This strategic move ensures that the threat actors can maintain consistent remote access, facilitating lateral movement within the system and the proliferation of additional malware.

The acquired access is then leveraged for monetization purposes. Threat actors may choose to engage in financial fraud, exfiltrate confidential data, or even sell compromised user accounts to other malicious entities. In the current dynamic threat landscape, reverse proxy threats—specifically exemplified by EvilProxy—are an exceedingly potent menace, surpassing the capabilities of the less sophisticated phishing kits utilized in the past. Notably, even multi-factor authentication (MFA) is not immune to these advanced cloud-based threats.