EvilProxy PaaS Tool Used in MFA-Bypass ATO Campaign Targeting Executives at Global Firms

Proofpoint researchers reveal campaign leveraging EvilProxy PaaS tool targeting high-level executives at over 100 organizations.

On August 9, 2023, researchers at Proofpoint reported the technical details of a campaign between March and June 2023 leveraging the EvilProxy Phishing as a Service (PaaS) tool to target executives at over 100 global firms with a combination of attacker in the middle (AiTM) and account takeover (ATO) tactics.

Context

Key takeaways from the report include:

  • “Over the last six months, Proofpoint researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies.
  • Over 100 organizations were targeted globally, collectively representing 1.5 million employees.
  • Threat actors utilized EvilProxy – a phishing tool based on a reverse proxy architecture, which allows attackers to steal MFA-protected credentials and session cookies.
  • This rising threat combines sophisticated Adversary-in-the-Middle phishing with advanced account takeover methods, in response to the growing adoption of multifactor authentication by organizations.”

Technical Details

According to Proofpoint, “during the phishing stage of the attack, attackers employed several noteworthy techniques: 

  • Brand impersonation. Sender addresses impersonated trusted services and apps, such as Concur Solutions, DocuSign and Adobe. 
  • Scan blocking. Attackers utilized protection against cyber security scanning bots, making it harder for security solutions to analyze their malicious web pages. 
  • Multi-step infection chain. Attackers redirected traffic via open legitimate redirectors, including YouTube, followed by additional steps, such as malicious cookies and 404 redirects.”

Proofpoint researchers also said that among the targets of the campaign, “approximately 39% were C-level executives of which 17% were Chief Financial Officers, and 9% were Presidents and CEOs.” After compromising targets, Proofpoint noted that “attackers were able to add their own multi-factor authentication method, establishing persistent access to compromised user accounts.”

Community Impact

RH-ISAC member analysts regularly report indicators of compromise (IOCs), technical, strategic, and open source intelligence related to EvilProxy. In addition, the RH-ISAC intelligence team has tracked and reported ongoing AiTM activity leveraging the EvilProxy PaaS kit.

IOCs

Proofpoint researchers provided the following IOCs:

Indicator

Type

Notes

01-net[.]com

Domain

Malicious “Step 2” redirection domain

837[.]best

Domain

Malicious “Step 2” redirection domain

abbotsfordbc[.]com

Domain

Malicious “Step 2” redirection domain

ae-lrmed[.]com

Domain

Malicious “Step 2” redirection domain

andrealynnsanders[.]com

Domain

Malicious “Step 2” redirection domain

bdowh[.]com

Domain

Malicious “Step 2” redirection domain

cad-3[.]com

Domain

Malicious “Step 2” redirection domain

cdjcfc[.]com

Domain

Malicious “Step 2” redirection domain

chiromaflo[.]com

Domain

Malicious “Step 2” redirection domain

cmzo-eu[.]cz

Domain

Malicious “Step 2” redirection domain

concur[.]bond

Domain

Malicious “Step 2” redirection domain

concurcloud[.]us

Domain

Malicious “Step 2” redirection domain

concursolution[.]us

Domain

Malicious “Step 2” redirection domain

concursolutions[.]info

Domain

Malicious “Step 2” redirection domain

cualn[.]com

Domain

Malicious “Step 2” redirection domain

d8z[.]net

Domain

Malicious “Step 2” redirection domain

dealemd[.]com

Domain

Malicious “Step 2” redirection domain

dl2b[.]com

Domain

Malicious “Step 2” redirection domain

dsa-erie[.]com

Domain

Malicious “Step 2” redirection domain

dse[.]best

Domain

Malicious “Step 2” redirection domain

dse[.]buzz

Domain

Malicious “Step 2” redirection domain

dsena[.]net

Domain

Malicious “Step 2” redirection domain

e-csg[.]com

Domain

Malicious “Step 2” redirection domain

etrax[.]eu

Domain

Malicious “Step 2” redirection domain

farmacgroup[.]ca

Domain

Malicious “Step 2” redirection domain

faxphoto[.]com

Domain

Malicious “Step 2” redirection domain

fdh[.]aero

Domain

Malicious “Step 2” redirection domain

finsw[.]com

Domain

Malicious “Step 2” redirection domain

fortnelsonbc[.]com

Domain

Malicious “Step 2” redirection domain

g3u[.]eu

Domain

Malicious “Step 2” redirection domain

greatbayservices[.]com

Domain

Malicious “Step 2” redirection domain

gwcea[.]com

Domain

Malicious “Step 2” redirection domain

indevsys[.]com

Domain

Malicious “Step 2” redirection domain

inteproinc[.]com

Domain

Malicious “Step 2” redirection domain

jxh[.]us

Domain

Malicious “Step 2” redirection domain

k4a[.]eu

Domain

Malicious “Step 2” redirection domain

kayakingbc[.]com

Domain

Malicious “Step 2” redirection domain

kirklandellis[.]net

Domain

Malicious “Step 2” redirection domain

kofisch[.]com

Domain

Malicious “Step 2” redirection domain

ld3[.]eu

Domain

Malicious “Step 2” redirection domain

mde45[.]com

Domain

Malicious “Step 2” redirection domain

mjdac[.]com

Domain

Malicious “Step 2” redirection domain

n4q[.]net

Domain

Malicious “Step 2” redirection domain

na-7[.]com

Domain

Malicious “Step 2” redirection domain

na3[.]wiki

Domain

Malicious “Step 2” redirection domain

nilyn[.]us

Domain

Malicious “Step 2” redirection domain

p1q[.]eu

Domain

Malicious “Step 2” redirection domain

pagetome[.]com

Domain

Malicious “Step 2” redirection domain

parsfn[.]com

Domain

Malicious “Step 2” redirection domain

pbcinvestment[.]com

Domain

Malicious “Step 2” redirection domain

phillipsoc[.]com

Domain

Malicious “Step 2” redirection domain

pwsarch[.]com

Domain

Malicious “Step 2” redirection domain

re5[.]eu

Domain

Malicious “Step 2” redirection domain

sloanecarpet[.]com

Domain

Malicious “Step 2” redirection domain

ssidaignostica[.]com

Domain

Malicious “Step 2” redirection domain

tallwind[.]com[.]tr

Domain

Malicious “Step 2” redirection domain

ukbarrister[.]com

Domain

Malicious “Step 2” redirection domain

utnets[.]com

Domain

Malicious “Step 2” redirection domain

uv-pm[.]com

Domain

Malicious “Step 2” redirection domain

vleonard[.]com

Domain

Malicious “Step 2” redirection domain

wattsmed[.]com

Domain

Malicious “Step 2” redirection domain

whoyiz[.]com

Domain

Malicious “Step 2” redirection domain

wj-asys[.]com

Domain

Malicious “Step 2” redirection domain

wmbr[.]us

Domain

Malicious “Step 2” redirection domain

wwgstaff[.]com

Domain

Malicious “Step 2” redirection domain

xp1[.]us

Domain

Malicious “Step 2” redirection domain

xstpl[.]com

Domain

Malicious “Step 2” redirection domain

154[.]29[.]75[.]192

IP Address

Source IP address involved in EvilProxy Attack

185[.]241[.]52[.]78

IP Address

Source IP address involved in EvilProxy Attack

185[.]250[.]243[.]176

IP Address

Source IP address involved in EvilProxy Attack

185[.]250[.]243[.]38

IP Address

Source IP address involved in EvilProxy Attack

198[.]44[.]132[.]249

IP Address

Source IP address involved in EvilProxy Attack

212[.]224[.]107[.]12

IP Address

Source IP address involved in EvilProxy Attack

45[.]8[.]191[.]151

IP Address

Source IP address involved in EvilProxy Attack

45[.]8[.]191[.]17

IP Address

Source IP address involved in EvilProxy Attack

74[.]208[.]49[.]213

IP Address

Source IP address involved in EvilProxy Attack

77[.]91[.]84[.]52

IP Address

Source IP address involved in EvilProxy Attack

78[.]153[.]130[.]178

IP Address

Source IP address involved in EvilProxy Attack

87[.]120[.]37[.]47

IP Address

Source IP address involved in EvilProxy Attack

104[.]183[.]206[.]97

IP Address

Source IP address involved in EvilProxy Attack

172[.]102[.]23[.]21

IP Address

Source IP address involved in EvilProxy Attack

191[.]96[.]227[.]102

IP Address

Source IP address involved in EvilProxy Attack

90[.]92[.]138[.]71

IP Address

Source IP address involved in EvilProxy Attack

autonotification@concursolutions[.]com

Email address

Sender address involved in EvilProxy campaigns

[email protected][.]net

Email address

Sender address involved in EvilProxy campaigns

adobesign@adobesign[.]com

Email address

Sender address involved in EvilProxy campaigns

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.