M365 Phishing Email Analysis – eevilcorp

Vade’s Threat Intelligence and Response Center (TIRC) has detected a new Microsoft 365 phishing attack. The TIRC analyzed an email containing a malicious HTML attachment.

In this post, we examine the TIRC’s phishing email analysis and review measures to stay protected.

Phishing email analysis: eevilcorp.online

The malicious HTML file contained JavaScript code designed to collect the email address of the victim and update the page with the content of the variable data used in a callback function.

Capture d’écran 2023-07-05 à 11.13.29

We decoded the base64 encoded string:

Input: aHR0cHM6Ly9lZXZpbGNvcnAub25saW5lL2dlbmVyYXRvcj90YWJsZT0xMCZtZW1lPUYtMDA wNjAmcGVlcj15b3VuZ19tdWx0aXBsZQ==

Output (defanged): hxxps[://]eevilcorp[.]online/generator?table=10&meme=F-00060&peer=young_multiple

Once decoded, we discovered a malicious domain, eevilcorp[.]online.

We found results for related Microsoft 365 phishing attacks online, in which requests to eevilcorp[.]online were made for the phishing applications.

Unknown phishers have leveraged the platform glitch.me to host malicious HTML pages.

Phishing email analysis – Microsoft 365 phishing page

Microsoft 365 phishing page - hxxps[://]periodic-checker[.]glitch[.]me

The source code of the page from periodic-checker[.]glitch[.]me is similar to the one from the HTML file in attachment.

Capture d’écran 2023-07-05 à 11.16.59

Using this source code, we decoded the base64 encoded string:

Input: aHR0cHM6Ly9lZXZpbGNvcnAub25saW5lL2dlbmVyYXRvcj90YWJsZT00Jm1lbWU9TC0wMDA

1NyZwZWVyPWdibV9vZmZpY2U=

Output (defanged): hxxps[://]eevilcorp[.]online/generator?table=4&meme=L-00057&peer=gbm_office

The output from hxxps[://]eevilcorp[.]online/generator?table=4&meme=L-00057&peer=gbm_office is a JSON object containing the HTML/JavaScript source code to generate the malicious Microsoft 365 authentication form.

[Related Content]: Cyberthreat Analysis: ‘Greatness’ Phishing-as-a-Service (PhaaS)

We found another phishing attack spoofing Adobe:

Phishing email analysis – Adobe phishing page

Adobe phishing page

Capture d’écran 2023-07-05 à 11.19.44

We decoded the base64 encoded strings:

Input: aHR0cHM6Ly91bHRpbW90ZW1wb3JlLm9ubGluZS9zZXJ2aWNlcy9wZXRheW9yLnBocA==

Output (defanged): hxxps[://]ultimotempore[.]online/services/petayor[.]php

The second base64 string is longer and we retrieved the domain eevilcorp[.]online, used to collect the IP address of the victim at the opening of the trapped page.

Capture d’écran 2023-07-05 à 11.21.07

The ouput from eevilcorp[.]online/activity/open was a JSON object.

Capture d’écran 2023-07-05 à 11.21.53

Paystub-382023

On Joe Sandbox, we found the scan result, Paystub-382023.html, related to another phishing attack associated with eevilcorp[.]online.

Phishing Email Analysis – Phishing page spoofing Microsoft

Phishing page spoofing Microsoft - Paystub-382023.html

Related to the file Paystub-382023.html, we found on Hybrid-Analysis that the file edge_driver.js has been dropped by Paystub-382023.html.

 

Phishing email analysis – edge_driver.js

Analysis overview - edge_driver.js

 

Even if the file edge_driver.js is not flagged as malicious on VirusTotal, we observed classical functions used to obfuscate payloads in JavaScript rendering the file suspicious at least.

[Related content]: New Phishing Attack Leverages Google Translate and IPFS Decentralized Network

 

Phishing email analysis – Virus Total

VirusTotal - edge_driver.js details

According to several online reports, the file edge_driver.js would be related to a browser adware/hijacker Edge Shopping. Below a list of related files:

Capture d’écran 2023-07-05 à 11.27.42

We suppose that miscellaneous malware could be distributed/dropped from an HTML page like Paystub-382023.html.

 

Click me

 

What does the authentication form Hawkeye mean?

The page returned by the malicious domain eevilcorp[.]online is an authentication page related to an application named Hawkeye.

Phishing email analysis – Hawkeye authentication form

Authentication form – Hawkeye

As reported by several cybersecurity actors like Talos, the original HawkEye Keylogger is a malware kit whose story began in 2013. Because several versions were introduced, we don’t know if the authentication page above is related to HawkEye Keylogger.

Phishing email analysis – HackEye keylogger logos

HawkEye Keylogger logos

Phishing email analysis – HawkEye PHP Logger (2014)

HawkEye PHP Logger (2014)

Phishing email analysis - indicators of compromise (IoCs)

Below are important indicators of compromise (IoCs) related to the phishing email analysis.

Domains

  • periodic-checker[.]glitch[.]me
  • scan-verified[.]glitch[.]me
  • transfer-with[.]glitch[.]me
  • air-dropped[.]glitch[.]me
  • precise-share[.]glitch[.]me
  • monthly-payment-invoice[.]glitch[.]me
  • monthly-report-check[.]glitch[.]me
  • eevilcorp[.]online
  • ultimotempore[.]online

 

URLs

  • hxxps[://]ultimotempore[.]online/services/gbm_office[.]php
  • hxxps[://]ultimotempore[.]online/services/ryan_office[.]php

 

Takeaways from M365 phishing email analysis

Phishing remains a top threat and the #1 method of distributing malware, including ransomware. Protecting your organization from compromise calls for adopting user awareness training that teaches employees how to spot and handle phishing threats. It also requires reinforcing your Microsoft 365 email security with integrated protection from a third-party solution.

Vade for M365 is a collaborative Microsoft 365 email security solution powered by AI and enhanced by people. In addition to robust incident response and advanced threat detection capabilities, it offers automated phishing awareness training that is personalized and administered whenever users encounter a phishing threat.

Click me