Insikt Group Discovers Global Credential Harvesting Campaign Using FiercePhish Open Source Framework
October 27, 2020 • Insikt Group®
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
Recorded Future’s Insikt Group discovered a wide-reaching phishing campaign utilizing the FiercePhish open source offensive phishing framework. The campaign, which is hosted on Russian domain infrastructure but does not target users in Russia, is globally harvesting credentials from a variety of organizations in the public and private sectors. This campaign, coordinated using asherintartrading[.]com, has been active since at least December 2019 and has cycled through over 30 DigitalOcean IP addresses, sometimes in a matter of hours. The fast changes in infrastructure indicate that the threat actor is proficient in evading security defenses and blocking tactics.
Analysis of a screenshot of asherintartrading[.]com was taken on the day the domain was first created on December 27, 2019, and shows the domain was configured as a FiercePhish management portal.
FiercePhish, created by Chris King, is an open source phishing framework designed to manage phishing engagements and is popular with ethical and non-ethical hackers. King’s social media bio states that he is a Red Team Manager and Lead at Mandiant, as well as an open source developer. Use of the FiercePhish framework in this campaign highlights the continued prevalence of offensive security tools being used for malicious purposes.
Between August 28 and September 3, 2020, Insikt Group identified the malicious domain, asherintartrading[.]com, and began to track historical threat data related to the domain, including a copy of a phishing message sent by “[email protected][.]com” to an email account affiliated to a foreign diplomatic office in Uganda on July 15, 2020. SMTP headers show the email was sent via mail.asherintartrading[.]com and the email body was formatted in HTML.
The email was designed to harvest email credentials by duping the target to re-enter their login details on a tailored spoofed Gmail login page hosted on https://filminglocationwanted[.]ru. The campaign included two other .ru URL’s coded into the message: v88779.ht-test[.]ru, and levidom[.]ru (image below), the latter of which is a second credential harvesting link that also prompts the victim to enter their details when attempting to “unsubscribe” from the message.
Insikt researchers identified over 200 similarly constructed domains and URLs (see Appendix A), some of which were already tagged as phishing or spyware-related in VirusTotal. These domains and URLs are highly likely engaged in malicious credential harvesting phishing activity related to the “asherintartrading” campaign.
Recorded Future network telemetry shows that the “asherintartrading” infrastructure was used extensively for phishing activity, with a high volume of SMTP traffic. Our data reveals that almost two thirds of all companies’ and organizations’ mail servers that received phishing emails from the “asherintrading” campaign were within the government, education, finance, heath, and energy sectors, with organizations in the U.S, Canada, India, and Turkey making up the largest portion of targeted countries.
Breaking this down further, both local municipalities and federal level government organizations, primarily in the U.S. and Canada, were targeted as well as global intergovernmental organizations.
Government organizations in the UK, Turkey, Qatar, Republic of Korea, India, UAE, and Australia were also targeted. Further analysis also reveals that the vast majority of phishing emails were sent to the government sector. Recorded Future data does not confirm that the target organizations were successfully compromised. However, the presence of some of these indicators in VirusTotal may indicate that some organizations are aware of and defending against this campaign.
Defense and Action
Given the wide scale of this phishing campaign, Recorded Future recommends customers configure their network defenses to alert and block on the domains, URLs, and IPs listed below. We also strongly recommend network defenders to check enterprise email logs, SMTP headers, message ids and similar datasets for messages sent from any email address tied to the domain “asherintartrading[.]com.”
Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.