Likely Iranian-Origin Phishing Attack: New Threat to Online Security in Italy!

Davide Cavallini : 4 April 2024 21:15

In the vast landscape of computing, increasingly insidious threats emerge that jeopardize the online security of both companies and ordinary users. In this context, phishing attacks represent one of the greatest dangers, capable of deceiving even the most vigilant and informed individuals.

Recently, our Red Hot Cyber team, comprised of S.D., who wishes to keep their identity confidential, Davide Cavallini, penetration tester and programmer, and Davide Santoro, cybersecurity analyst, made a surprising discovery in the Italian cybersecurity landscape. It’s a particular phishing attack characterized by a sophisticated deception technique and likely originating from Iranian regions.

This attack stands out for its insidious nature and its potential implications for national and individual security. We managed to trace the tracks of this attack and analyze its distinctive characteristics.

Today, seemingly innocuous emails have arrived in the mailboxes of several Italian companies. The message is impeccable, drafted in perfect Italian and seemingly devoid of any suspicion.

However, beyond appearances, it conceals a insidious threat. Inside, a link, seemingly normal, invites recipients to click to access important information and complete an urgent action.

This is the content of one of these emails:

However, a careful eye would notice something strange in the URL to which the link points: a sequence of cryptic characters and an unfamiliar domain. It’s the first clue that something is amiss, a subtle warning of danger hidden within apparent normalcy.

In an act of “investigation,” our Red Hot Cyber team has decided to explore the mysterious link to uncover what lies behind it.

At first glance, we immediately noticed that the link in the email redirects to another website, which hosts a counterfeit PDF document that simulates a password-protected order.

After noticing the redirect in the email link, we examine the flow of requests more closely using Burp Suite, in order to better understand the type of redirect and whether there is any hidden code between the initial site and the final destination.

During this process, we notice that the link pointed to by the email performs a redirect via JavaScript. This immediately raises suspicion that it could be a stored XSS (Cross-Site Scripting) attack, in which malicious code is stored on the server and then executed within the visitor’s browser.

Here’s the code of the redirect:

We discovered that the Persistent XSS (which is equivalent to saying stored XSS) was inserted into the site exploiting the CVE-2023-6000 vulnerability in the Popup Builder plugin version . The redirect then points to another German fruit-selling website, most likely compromised and misconfigured—given that directory listing is enabled—which contains a fake PDF:

By modifying the email in the GET request ID, the email also changes in the PDF, so everyone who receives the phishing email will see their own email within the “email” field.

Studying the JavaScript code of this PDF, we then discovered that it saves the data via API to another Iranian WordPress website.

The code we have inserted on GitHub, in the link below, is precisely what steals our data and stores it on another server.

https://github.com/dade1987/phishing_code_investigation_repository/blob/main/ital-pdf-index.htm

The HTML file was contained within a zip file inside the open directory of the German website:

Upon further analysis, the first base64-encoded background contains the background of the fake PDF order:

The second Base64-encoded image contains the fake logo of the PDF:

Here’s an explanation of the functionalities of the HTML and JavaScript code that constitutes a webpage used to conduct a phishing attack via a fake PDF document:

• HTML Structure: The HTML page follows a standard structure with headers, links to style sheets, and JavaScript scripts.
• Content: The page contains elements such as input fields for email and password, a verification button, and alerts to signal errors to the user.
• CSS Styling: There are some CSS rules to manage the visual appearance of the page, such as removing the outline of active elements and managing the background image.
• JavaScript:
  • The JavaScript code is responsible for some security actions, such as disabling the Ctrl+S key combination to prevent saving the page, disabling the context menu of the mouse, and disabling some key combinations that could allow unwanted operations.
  • There’s a block that checks the email address provided by the user and verifies if it’s valid.
  • When the user clicks the verification button, an AJAX request is executed to send the credentials (email and password) to a remote server (https://SITOWEB.ir/wpsignup.php).
  • If the credentials are correct, the user is redirected to a PDF document (stolen from an Italian company) hosted on an external server. This redirection could occur even after multiple attempts of entering the credentials.
  • If the credentials are incorrect or an error occurs during the process, error messages are displayed to the user.

In essence, this code is designed to simulate a protected access page to an online PDF document in order to steal users’ credentials, which are then sent to a remote server for processing.

Subsequently, the user is redirected to a fake PDF document to maintain the illusion that access has been granted correctly.

This is the most concerning piece of information. Indeed, it indicates possible irregularities in the computer systems of some Italian companies, suggesting the possibility of a Man-in-the-Middle (MITM) cyber attack.

Given the strategic importance that these companies could have for the country, such a situation requires careful assessment and immediate action to protect sensitive data and mitigate any risks to the integrity of operations.

After carefully analyzing the reports of recent attacks, our team has identified a common pattern linking the recent attacks to a malicious campaign known as “Balada Injector”, which specifically targets websites using the WordPress Popup Builder plugin. This malicious campaign exploits vulnerabilities in the plugin to carry out Cross-Site Scripting (XSS) attacks and compromise the security of the affected websites.

To defend against this type of phishing attack, it’s important to adopt several preventive measures and security practices. Here are some helpful tips:

End User Protection (Company):

• User Awareness: Provide training and awareness to users on the importance of recognizing phishing threats and avoiding clicking on links or opening suspicious attachments in emails.
• Use of Security Software: Install and keep antivirus and antimalware software updated on company devices to detect and block potential cybersecurity threats, including phishing attacks.

Website Owners Protection:

• Regular Updating of Libraries and Plugins: Keep all libraries, plugins, and frameworks used for website development up to date to address any security vulnerabilities and reduce the risk of exploits.
• Implement Security Policies: Enforce strict security policies to prevent Cross-Site Scripting (XSS) attacks and outbound requests, such as:
  • Policies to Prevent XSS Attacks:
    • Input Filtering: Validate and rigorously filter all data received from users through input forms on the website. Use whitelists to accept only allowed characters and data formats, avoiding the insertion of scripts or malicious code.
    • Data Encoding: Ensure that all dynamically displayed data on the website is properly encoded to prevent unauthorized script execution in the user’s browser. Use appropriate encoding functions such as HTML entity encoding or JavaScript escaping.
    • Content Security Policy (CSP): Implement an appropriate CSP that defines allowed sources for script execution, style, and other resources in the browser. Use directives like script-src, style-src, and connect-src to limit script execution only from trusted sources and prevent inclusion of malicious scripts from external sources.
    • Input Sanitization: Use web development libraries and frameworks that offer input sanitization features to automatically remove or neutralize any malicious scripts from user-inputted data.
    • Server-Side Input Validation: Perform server-side input validation to ensure that data received from users conforms to specified format and security requirements before processing or storing it in the database.
  • Policies to Prevent Unwanted External Calls:
    • URL Validation: Carefully verify and validate redirection URLs and external calls used on the website to prevent unauthorized redirection of users to malicious or compromised sites.
    • Limit External Resources: Restrict the use of external resources on the website, such as scripts, styles, and images, only to trusted and reliable sources. Avoid loading resources from untrusted or unverified domains.
    • Authentication and Authorization: Use authentication and authorization to limit access to external resources only to authorized and authenticated users. Utilize access tokens or API keys to control access to external resources and prevent abuse.
    • Monitoring of External Calls: Regularly monitor external call activity from the website to detect suspicious behavior or unauthorized activity. Use monitoring and logging tools to track and analyze external calls to the website.

By implementing these preventive measures and security practices, both end users and website owners can contribute to protecting themselves and others from online threats, including phishing attacks and cybersecurity breaches.

What if the attacker were an Iranian APT?

Thanks to information sharing – an essential element for both ongoing training and risk analysis – we can hypothesize that behind the attack could be an Iranian APT group that has previously made extensive use, in various forms, of these techniques.

We’re talking about MuddyWater, an Iranian APT active since 2017 and specialized in cyber espionage using both freely available tools and unique malware developed by the group itself. They typically target countries in the Middle East (with particular attention to Israel and Saudi Arabia) but also conduct attacks against other countries.

Over the years, many have studied MuddyWater, and for a clear understanding of the group and its tactics, I recommend this article from the US Cyber Command, even though it dates back to February 24, 2022, it represents a milestone in the tactics, techniques, and procedures (TTP) of the Iranian APT.

Obviously, as stated at the beginning of this brief subtitle, definitive attribution to the APT in question is currently impossible. However, certain elements have led us in this direction:

1. Analysis of the TTPs used in the examined attack
2. The type of compromised sites used in various stages of the attack
3. The use of a credible spear-phishing campaign with hypothetical invoices as previously done.

Conclusion:

Online security is a shared responsibility that requires commitment and awareness from all involved parties. We hope these practical tips can help you protect yourself from phishing and XSS attacks and keep your online presence safe.

Always remember to stay vigilant, regularly update your security software, and adopt mindful cybersecurity practices. With a proactive approach to security, we can all contribute to creating a safer and more secure online environment for everyone.

We will continue to closely monitor the development of this malicious campaign and provide updates and additional advice to protect websites from attacks. Stay tuned for further information and cybersecurity recommendations.

If you have further questions or need assistance, please don’t hesitate to contact us. Together, we can make a difference in the fight against cyber threats.

Stay safe and happy browsing online!