The Dark Water Journal: Latin Phisher
The following article presents a phishing investigation which uncovered a campaign designed to impersonate Banco Santander Brazil’s website and gather personal identifiable information (PII) from Brazilian companies.
The threat actor compromised several vulnerable websites around the world and after that he deployed a phishing tool called “ZUB”. At the moment of discovery the tool was not flagged by antivirus engines. The phishing campaign appears to be designed to minimize the risks against the threat actor’s anonymity because the phishing tool was not configured to send the data to email accounts or other IP addresses.
The campaign is at least one week old and is currently using around 37 compromised websites to host the phishing tool.
Initial Discovery
The phishing pages were initially identified in several Romanian websites. The path to the phishing pages is the following:
- <domain>/- -/app/www.esfera.com.vc/<random_string>/
Upon a close inspection the pages appeared to impersonate the “Esfera” program of Banco Santander Brazil.
The phishing pages are designed to capture the following information from users:
- user ip address
- the “CNPJ” code (Cadastro Nacional da Pessoa Jurídica)
- name
- telephone number
- time availability
- email address
- user_agent
- computer name
- current date
- current time
Since the phishing tool and configuration files were not recoverable from the Romanian compromised websites, the next step was to search for the tools on other compromised websites.
Threat Hunting
A number of 37 compromised websites were identified quickly using threat intelligence feeds and BlackShark. This activity is time consuming and offers no guarantee that the phishing kit will be discovered. Luckily, the phishing tool was found on one of the compromised websites in a folder named “Arquivos”.
Phishing Kit Analysis
The ZUB archived contained a number of files and a php script. The files were hashed and searched on popular virus and malware sharing platforms but returned 0 results.
The analysis of the “save.php” file confirmed what type of information was being captured from the phished users and where it was being stored. For each phished user the script will create a <user ip address.txt> and store it on the compromised web server.
Since the files are stored on the compromised website the threat actor must have access to the web server in order to retrieve the text documents.
Hashes (IOCs)
The ZUB phishing tool was uploaded to VirusTotal. The list contains the relevant hashes for threat hunters and incident response teams:
- main.js 008262fd6805cfd0c51f4ea39a81793997dcc5032a079edbd8a8ac8b27bbe198
- index.html 217e624869803ec582d9324c63267a668afab34463ee5f97fee04efe22f10229
- save.php 3f001188c871646c3fffffadc46583ff553dde42ec4882e02f2e58e3afcf3426
Compromised Websites (IOCs)
A list of compromised websites which hosted the ZUB phishing tool. The list was compiled on 15 December 2019:
- app-esfera.com
- aureliaeventos.com
- ber.com.tr
- bettopten.com
- comsistec.com
- digital.lamakaan.com
- esfera.atualizar.app
- esferapontos.shop
- frostem.com
- frostem.ru
- intupush.com
- lerefugetoulouse.com
- mefintranet.finanzas.gob.ec
- mini-stars.ro
- minnen.com
- moscom.co.za
- nongsanhuongviet.com
- okkpd.pertanian.jatimprov.go.id
- paradanoticiosa.cl
- pilikon.com.tr
- pjsantanderesfera.com
- robertlees.org
- salsabootcamp.gr
- santander.premiosesfera.com
- thecelticlodge.org
- toponomasticafemminile.com
- worldeyestudios.com
- www.agence-abaque.com
- www.azosimoveis.com
- www.bellepeau.com.br
- www.chmsc.edu.ph
- www.firmatanitim.com
- www.japoneza.lls.unibuc.ro
- www.kristallsolucoes.com.br
- www.metaltela.com
- www.transmedia.cl
- www.westblockblues.in
