Davide Cavallini : 4 April 2024 21:15
In the vast landscape of computing, increasingly insidious threats emerge that jeopardize the online security of both companies and ordinary users. In this context, phishing attacks represent one of the greatest dangers, capable of deceiving even the most vigilant and informed individuals.
Recently, our Red Hot Cyber team, comprised of S.D., who wishes to keep their identity confidential, Davide Cavallini, penetration tester and programmer, and Davide Santoro, cybersecurity analyst, made a surprising discovery in the Italian cybersecurity landscape. It’s a particular phishing attack characterized by a sophisticated deception technique and likely originating from Iranian regions.
This attack stands out for its insidious nature and its potential implications for national and individual security. We managed to trace the tracks of this attack and analyze its distinctive characteristics.
Vuoi diventare un Ethical Hacker?
Non perdere i nostri corsi e scrivi subito su WhatsApp al numero
375 593 1011
per richiedere informazioni dicendo che hai trovato il numero sulle pagine di Red Hot Cyber
Supporta RHC attraverso:
Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.
Today, seemingly innocuous emails have arrived in the mailboxes of several Italian companies. The message is impeccable, drafted in perfect Italian and seemingly devoid of any suspicion.
However, beyond appearances, it conceals a insidious threat. Inside, a link, seemingly normal, invites recipients to click to access important information and complete an urgent action.
This is the content of one of these emails:
However, a careful eye would notice something strange in the URL to which the link points: a sequence of cryptic characters and an unfamiliar domain. It’s the first clue that something is amiss, a subtle warning of danger hidden within apparent normalcy.
In an act of “investigation,” our Red Hot Cyber team has decided to explore the mysterious link to uncover what lies behind it.
At first glance, we immediately noticed that the link in the email redirects to another website, which hosts a counterfeit PDF document that simulates a password-protected order.
After noticing the redirect in the email link, we examine the flow of requests more closely using Burp Suite, in order to better understand the type of redirect and whether there is any hidden code between the initial site and the final destination.
During this process, we notice that the link pointed to by the email performs a redirect via JavaScript. This immediately raises suspicion that it could be a stored XSS (Cross-Site Scripting) attack, in which malicious code is stored on the server and then executed within the visitor’s browser.
Here’s the code of the redirect:
We discovered that the Persistent XSS (which is equivalent to saying stored XSS) was inserted into the site exploiting the CVE-2023-6000 vulnerability in the Popup Builder plugin version . The redirect then points to another German fruit-selling website, most likely compromised and misconfigured—given that directory listing is enabled—which contains a fake PDF:
By modifying the email in the GET request ID, the email also changes in the PDF, so everyone who receives the phishing email will see their own email within the “email” field.
Studying the JavaScript code of this PDF, we then discovered that it saves the data via API to another Iranian WordPress website.
The code we have inserted on GitHub, in the link below, is precisely what steals our data and stores it on another server.
https://github.com/dade1987/phishing_code_investigation_repository/blob/main/ital-pdf-index.htm
The HTML file was contained within a zip file inside the open directory of the German website:
Upon further analysis, the first base64-encoded background contains the background of the fake PDF order:
The second Base64-encoded image contains the fake logo of the PDF:
Here’s an explanation of the functionalities of the HTML and JavaScript code that constitutes a webpage used to conduct a phishing attack via a fake PDF document:
In essence, this code is designed to simulate a protected access page to an online PDF document in order to steal users’ credentials, which are then sent to a remote server for processing.
Subsequently, the user is redirected to a fake PDF document to maintain the illusion that access has been granted correctly.
This is the most concerning piece of information. Indeed, it indicates possible irregularities in the computer systems of some Italian companies, suggesting the possibility of a Man-in-the-Middle (MITM) cyber attack.
Given the strategic importance that these companies could have for the country, such a situation requires careful assessment and immediate action to protect sensitive data and mitigate any risks to the integrity of operations.
After carefully analyzing the reports of recent attacks, our team has identified a common pattern linking the recent attacks to a malicious campaign known as “Balada Injector”, which specifically targets websites using the WordPress Popup Builder plugin. This malicious campaign exploits vulnerabilities in the plugin to carry out Cross-Site Scripting (XSS) attacks and compromise the security of the affected websites.
To defend against this type of phishing attack, it’s important to adopt several preventive measures and security practices. Here are some helpful tips:
End User Protection (Company):
Website Owners Protection:
By implementing these preventive measures and security practices, both end users and website owners can contribute to protecting themselves and others from online threats, including phishing attacks and cybersecurity breaches.
What if the attacker were an Iranian APT?
Thanks to information sharing – an essential element for both ongoing training and risk analysis – we can hypothesize that behind the attack could be an Iranian APT group that has previously made extensive use, in various forms, of these techniques.
We’re talking about MuddyWater, an Iranian APT active since 2017 and specialized in cyber espionage using both freely available tools and unique malware developed by the group itself. They typically target countries in the Middle East (with particular attention to Israel and Saudi Arabia) but also conduct attacks against other countries.
Over the years, many have studied MuddyWater, and for a clear understanding of the group and its tactics, I recommend this article from the US Cyber Command, even though it dates back to February 24, 2022, it represents a milestone in the tactics, techniques, and procedures (TTP) of the Iranian APT.
Obviously, as stated at the beginning of this brief subtitle, definitive attribution to the APT in question is currently impossible. However, certain elements have led us in this direction:
Conclusion:
Online security is a shared responsibility that requires commitment and awareness from all involved parties. We hope these practical tips can help you protect yourself from phishing and XSS attacks and keep your online presence safe.
Always remember to stay vigilant, regularly update your security software, and adopt mindful cybersecurity practices. With a proactive approach to security, we can all contribute to creating a safer and more secure online environment for everyone.
We will continue to closely monitor the development of this malicious campaign and provide updates and additional advice to protect websites from attacks. Stay tuned for further information and cybersecurity recommendations.
If you have further questions or need assistance, please don’t hesitate to contact us. Together, we can make a difference in the fight against cyber threats.
Stay safe and happy browsing online!