Blog

Exploiting QR Codes: AiTM Phishing with DadSec PhaaS

BY eSentire Threat Response Unit (TRU)

October 17, 2023 | 7 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Our Threat Response Unit (TRU) has observed a surge in AiTM (Adversary in the Middle) phishing attacks. AiTM phishing is a sophisticated tactic where attackers position themselves between the victim and a legitimate website or service. In doing so, they can intercept and often manipulate communications in real-time.

A particularly alarming capability of AiTM phishing is its ability to bypass Multi-Factor Authentication (MFA). Not only can attackers capture real-time MFA tokens or codes, but they can also seize MFA session cookies. With these captured session cookies, attackers can maintain unauthorized access without needing to re-authenticate, effectively sidestepping MFA measures.

This method has become a favored approach for conducting Business Email Compromise (BEC) attacks, where attackers impersonate trusted entities to execute fraudulent activities, including unauthorized financial transactions.

Adversary in the Middle (AiTM) attacks, a variant of the traditional Man-in-the-Middle (MitM) attack, has gained popularity for several reasons:

For additional technical details on AitM phishing and BEC attacks, see the eSentire TRU Intelligence Briefing for September 2023.

Figure 1 is an example of an AiTM phishing attack targeting one of our clients. The threat actor(s) impersonated HR personnel and used a QR code to entice the employee into scanning it with their phone. This tactic is especially concerning because it prompts users to enter their credentials on devices that may not be under corporate monitoring.

Figure 1: Example of the AiTM phishing attack leveraging QR code

You can see in Figure 2 that the attacker leveraged Cloudflare Turnstile below to confirm that the visitor is real and to employ the evasion technique mentioned above.

Figure 2: Attacker leveraging Cloudflare Turnstile

After the successful check, the user is redirected to the fake Microsoft O365 landing page that prompts the user to enter their credentials, as shown in Figure 3.

Figure 3: Fake O365 landing page

Upon entering the valid credentials, the user gets an MFA prompt if it’s set up, as shown in Figure 4.

Figure 4: MFA prompt

When the user confirms their identity using one of the methods, the attacker can intercept and steal the session cookie. This allows them to access the user's account without further authentication, effectively bypassing MFA.

DadSec PhaaS

eSentire TRU has identified the DadSec PhaaS as the orchestrator behind a particular QR code campaign. DadSec offers customers access to a user-friendly phishing panel, enabling them to launch sophisticated phishing attacks easily. This panel allows for theme customization, including antibot features, and more. DadSec promotes its services both on its website and within specific Telegram groups, as depicted in Figure 5. Access to this phishing panel is priced at $500.

Figure 5: DadSec advertisement

We were able to find some evidence of DadSec panel’s source code. All the PHP files are heavily obfuscated (Figure 6).

Figure 6: Obfuscated PHP code

The example of the antibot feature and IP blocking from the deobfuscated code is shown in Figure 7. Whenever it detects one of the bots, crawlers, it displays a “HTTP/1.0 404 Not Found” page.

Figure 7: AntiBot feature

DadSec also displays a “404 Not Found” page on the keywords shown in Figure 8.

Figure 8: Blocked keywords

IP blocking is also in place for IPs such as 65.55.92.152, 216.58.211.37, and so on. We believe that the phishing developer grabbed the keywords, IPs, and bots from the antibot1.php file (MD5: 7db0362ac94539ca92d748bcfff24fdf) shown in Figure 9.

Figure 9: Snippet of antibot1.php file

Figure 10 displays the settings of DadSec. Users can configure it to send results to Telegram or email and set up a redirect URL after credentials are entered. Additionally, there's an option to toggle the Cloudflare Turnstile tool on or off.

Figure 10: DadSec settings (deobfuscated PHP file)

In Figure 11, DadSec developer is showcasing the panel and how the custom themed can be set up.

Figure 11: DadSec panel

Figure 12 displays the background images found within the DadSec phishing panel. Recently, Any.Run highlighted in a Twitter post how legitimate services are being exploited for phishing. Notably, one of the screenshots from their post features one of these background images (Figure 13).

Figure 12: Phishing background images
Figure 13: DadSec phishing backgroumd image (Source: Any.Run)

After conducting an extensive investigation, we identified over a thousand domains associated with DadSec phishing. Most of these domains are hosted on Cyber Panel, an open-source Web Hosting Control Panel, as illustrated in Figure 14.

Figure 14: Domains hosting DadSec phishing (source: URLScan.io)

Evilginx Showcase

To illustrate the mechanics of AiTM and the simplicity of bypassing MFA, we'll deploy Evilginx, a framework tailored for man-in-the-middle phishing attacks.

We will login to the phishing site with our credentials (Figure 15).

Figure 15: O365 phishing landing page

After entering the correct credentials, the user receives an MFA push notification on their phone via the Authenticator app. Upon accepting the sign-in request and choosing to remain logged in, the attacker intercepts the session cookie, which has a limited validity period, as depicted in Figure 16.

Figure 16: The user receiving and approving the MFA push

The attacker obtains the session cookie, which can be entered into the Cookie Editor, allowing them to access the O365 account while circumventing MFA, as illustrated in Figures 17-18.

Figure 18: Successful MFA bypass

What did we do?

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU) Team:

Indicators of Compromise

Name

Indicators

DadSec Phishing Site

5roeh2dm9tgpqgtlhs27.vlh3[.]ru

DadSec Phishing Site

myips[.]cc

antibot1.php

7db0362ac94539ca92d748bcfff24fdf

Phishing C2

63.250.38[.]127

Phishing C2

162.255.118[.]206

Phishing C2

64.52.80[.]237

Phishing C2

64.52.80[.]228

Phishing C2

193.149.185[.]222

Phishing C2

204.93.231[.]125

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire