On August 9, 2023, researchers at Proofpoint reported the technical details of a campaign between March and June 2023 leveraging the EvilProxy Phishing as a Service (PaaS) tool to target executives at over 100 global firms with a combination of attacker in the middle (AiTM) and account takeover (ATO) tactics.
Context
Key takeaways from the report include:
- “Over the last six months, Proofpoint researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies.
- Over 100 organizations were targeted globally, collectively representing 1.5 million employees.
- Threat actors utilized EvilProxy – a phishing tool based on a reverse proxy architecture, which allows attackers to steal MFA-protected credentials and session cookies.
- This rising threat combines sophisticated Adversary-in-the-Middle phishing with advanced account takeover methods, in response to the growing adoption of multifactor authentication by organizations.”
Technical Details
According to Proofpoint, “during the phishing stage of the attack, attackers employed several noteworthy techniques:
- Brand impersonation. Sender addresses impersonated trusted services and apps, such as Concur Solutions, DocuSign and Adobe.
- Scan blocking. Attackers utilized protection against cyber security scanning bots, making it harder for security solutions to analyze their malicious web pages.
- Multi-step infection chain. Attackers redirected traffic via open legitimate redirectors, including YouTube, followed by additional steps, such as malicious cookies and 404 redirects.”
Proofpoint researchers also said that among the targets of the campaign, “approximately 39% were C-level executives of which 17% were Chief Financial Officers, and 9% were Presidents and CEOs.” After compromising targets, Proofpoint noted that “attackers were able to add their own multi-factor authentication method, establishing persistent access to compromised user accounts.”
Community Impact
RH-ISAC member analysts regularly report indicators of compromise (IOCs), technical, strategic, and open source intelligence related to EvilProxy. In addition, the RH-ISAC intelligence team has tracked and reported ongoing AiTM activity leveraging the EvilProxy PaaS kit.
IOCs
Proofpoint researchers provided the following IOCs:
Indicator | Type | Notes |
01-net[.]com | Domain | Malicious “Step 2” redirection domain |
837[.]best | Domain | Malicious “Step 2” redirection domain |
abbotsfordbc[.]com | Domain | Malicious “Step 2” redirection domain |
ae-lrmed[.]com | Domain | Malicious “Step 2” redirection domain |
andrealynnsanders[.]com | Domain | Malicious “Step 2” redirection domain |
bdowh[.]com | Domain | Malicious “Step 2” redirection domain |
cad-3[.]com | Domain | Malicious “Step 2” redirection domain |
cdjcfc[.]com | Domain | Malicious “Step 2” redirection domain |
chiromaflo[.]com | Domain | Malicious “Step 2” redirection domain |
cmzo-eu[.]cz | Domain | Malicious “Step 2” redirection domain |
concur[.]bond | Domain | Malicious “Step 2” redirection domain |
concurcloud[.]us | Domain | Malicious “Step 2” redirection domain |
concursolution[.]us | Domain | Malicious “Step 2” redirection domain |
concursolutions[.]info | Domain | Malicious “Step 2” redirection domain |
cualn[.]com | Domain | Malicious “Step 2” redirection domain |
d8z[.]net | Domain | Malicious “Step 2” redirection domain |
dealemd[.]com | Domain | Malicious “Step 2” redirection domain |
dl2b[.]com | Domain | Malicious “Step 2” redirection domain |
dsa-erie[.]com | Domain | Malicious “Step 2” redirection domain |
dse[.]best | Domain | Malicious “Step 2” redirection domain |
dse[.]buzz | Domain | Malicious “Step 2” redirection domain |
dsena[.]net | Domain | Malicious “Step 2” redirection domain |
e-csg[.]com | Domain | Malicious “Step 2” redirection domain |
etrax[.]eu | Domain | Malicious “Step 2” redirection domain |
farmacgroup[.]ca | Domain | Malicious “Step 2” redirection domain |
faxphoto[.]com | Domain | Malicious “Step 2” redirection domain |
fdh[.]aero | Domain | Malicious “Step 2” redirection domain |
finsw[.]com | Domain | Malicious “Step 2” redirection domain |
fortnelsonbc[.]com | Domain | Malicious “Step 2” redirection domain |
g3u[.]eu | Domain | Malicious “Step 2” redirection domain |
greatbayservices[.]com | Domain | Malicious “Step 2” redirection domain |
gwcea[.]com | Domain | Malicious “Step 2” redirection domain |
indevsys[.]com | Domain | Malicious “Step 2” redirection domain |
inteproinc[.]com | Domain | Malicious “Step 2” redirection domain |
jxh[.]us | Domain | Malicious “Step 2” redirection domain |
k4a[.]eu | Domain | Malicious “Step 2” redirection domain |
kayakingbc[.]com | Domain | Malicious “Step 2” redirection domain |
kirklandellis[.]net | Domain | Malicious “Step 2” redirection domain |
kofisch[.]com | Domain | Malicious “Step 2” redirection domain |
ld3[.]eu | Domain | Malicious “Step 2” redirection domain |
mde45[.]com | Domain | Malicious “Step 2” redirection domain |
mjdac[.]com | Domain | Malicious “Step 2” redirection domain |
n4q[.]net | Domain | Malicious “Step 2” redirection domain |
na-7[.]com | Domain | Malicious “Step 2” redirection domain |
na3[.]wiki | Domain | Malicious “Step 2” redirection domain |
nilyn[.]us | Domain | Malicious “Step 2” redirection domain |
p1q[.]eu | Domain | Malicious “Step 2” redirection domain |
pagetome[.]com | Domain | Malicious “Step 2” redirection domain |
parsfn[.]com | Domain | Malicious “Step 2” redirection domain |
pbcinvestment[.]com | Domain | Malicious “Step 2” redirection domain |
phillipsoc[.]com | Domain | Malicious “Step 2” redirection domain |
pwsarch[.]com | Domain | Malicious “Step 2” redirection domain |
re5[.]eu | Domain | Malicious “Step 2” redirection domain |
sloanecarpet[.]com | Domain | Malicious “Step 2” redirection domain |
ssidaignostica[.]com | Domain | Malicious “Step 2” redirection domain |
tallwind[.]com[.]tr | Domain | Malicious “Step 2” redirection domain |
ukbarrister[.]com | Domain | Malicious “Step 2” redirection domain |
utnets[.]com | Domain | Malicious “Step 2” redirection domain |
uv-pm[.]com | Domain | Malicious “Step 2” redirection domain |
vleonard[.]com | Domain | Malicious “Step 2” redirection domain |
wattsmed[.]com | Domain | Malicious “Step 2” redirection domain |
whoyiz[.]com | Domain | Malicious “Step 2” redirection domain |
wj-asys[.]com | Domain | Malicious “Step 2” redirection domain |
wmbr[.]us | Domain | Malicious “Step 2” redirection domain |
wwgstaff[.]com | Domain | Malicious “Step 2” redirection domain |
xp1[.]us | Domain | Malicious “Step 2” redirection domain |
xstpl[.]com | Domain | Malicious “Step 2” redirection domain |
154[.]29[.]75[.]192 | IP Address | Source IP address involved in EvilProxy Attack |
185[.]241[.]52[.]78 | IP Address | Source IP address involved in EvilProxy Attack |
185[.]250[.]243[.]176 | IP Address | Source IP address involved in EvilProxy Attack |
185[.]250[.]243[.]38 | IP Address | Source IP address involved in EvilProxy Attack |
198[.]44[.]132[.]249 | IP Address | Source IP address involved in EvilProxy Attack |
212[.]224[.]107[.]12 | IP Address | Source IP address involved in EvilProxy Attack |
45[.]8[.]191[.]151 | IP Address | Source IP address involved in EvilProxy Attack |
45[.]8[.]191[.]17 | IP Address | Source IP address involved in EvilProxy Attack |
74[.]208[.]49[.]213 | IP Address | Source IP address involved in EvilProxy Attack |
77[.]91[.]84[.]52 | IP Address | Source IP address involved in EvilProxy Attack |
78[.]153[.]130[.]178 | IP Address | Source IP address involved in EvilProxy Attack |
87[.]120[.]37[.]47 | IP Address | Source IP address involved in EvilProxy Attack |
104[.]183[.]206[.]97 | IP Address | Source IP address involved in EvilProxy Attack |
172[.]102[.]23[.]21 | IP Address | Source IP address involved in EvilProxy Attack |
191[.]96[.]227[.]102 | IP Address | Source IP address involved in EvilProxy Attack |
90[.]92[.]138[.]71 | IP Address | Source IP address involved in EvilProxy Attack |
autonotification@concursolutions[.]com | Email address | Sender address involved in EvilProxy campaigns |
[email protected][.]net | Email address | Sender address involved in EvilProxy campaigns |
adobesign@adobesign[.]com | Email address | Sender address involved in EvilProxy campaigns |
