Last year, Netskope Threat Research Labs discovered Hackshit Phishing as a Service (PhaaS) platform that recorded the victims credentials via websocket service hosted in Amazon S3. Eventually, after reporting the attack elements to all the entities, the services were stopped.
Now, fast forward to 2018, while researching the latest phished baits and trends, we observed the resurgence of Hackshit Phishing as a Service (PhaaS) platform reusing the same attack elements as reported earlier. We uncovered the tactics, techniques, and procedures (TTPs) like the Platform as a Service (PaaS) app for developing, deploying and running the code and the file-sharing platform for spreading the phished baits from secured websites.
Netskope for Web can proactively protect customers from credential theft by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.
Hackshit PhaaS allowed its users to record the victim credentials via WebSockets using base64 encoded secure (HTTPS) phished baits or using decoy PDF documents with an embedded link. Initially, all the phished baits were delivered from secure (HTTPS) websites with top-level domains with the “moe” top-level domain (TLD). Later, we observed several phished baits served from secure (HTTPS) websites with top-level domains (TLD) namely “moe”, “tn”, “cat”, “wtf”, and “space”. The phished baits we observed were not encoded with base64. They were disguised and designed to mimic login pages of popular services like Microsoft, Google Docs, Dropbox, and DocuSign for obtaining the user credentials.
Analysis of the Phished baits
The credentials entered in the phished baits mentioned above are sent to the attacker via WebSocket to the URL’s https://pod[.]logshit[.]com, https://pod-1[.]logshit[.]com and https://hspod-1[.]eu-1[.]evennode.com. These WebSocket services were hosted and deployed on a Platform as a service named Evennode. All the URLs resolved to the IP address 52.18.91[.]8. At the time of analysis, the IP was registered to Amazon S3 and resolved to ec2-52-18-91-8.eu-west-1.compute[.]amazonaws.com.The phished baits we observed is shown in Figure 1.
Figure 1: Hackshit Phished baits
These attack elements reused the same URLs which we reported during the discovery of Hackshit. The exfiltration routine for uploading the victims’ credentials via WebSockets was appended at the end of the pages. An excerpt of one of the phished bait is shown in Figure 2.
Figure 2: Credentials are sent to the attacker via a WebSocket
Delivery of the Phished baits
The phished baits were delivered from secure (HTTPS) websites with new top-level domains (TLD) namely moe, tn, cat, wtf, space. The list of websites serving the phished baits related to Hackshit are listed below:
https://a.pomf[.]cat/pwigae[.]html
https://a[.]pomf[.]cat/sellha[.]html
https://a[.]pomf[.]cat/tolgpg[.]html
https://u[.]trs[.]tn/cssmlf[.]html
https://a[.]doko[.]moe/mzxkup[.]html
https://a[.]doko[.]moe/tpulcx[.]html
http://a[.]doko[.]moe/bmhnvq[.]html
https://w[.]wew[.]wtf/xistho[.]html
https://a[.]pomf[.]space/jehdgewzbpvu[.]html
All the websites had an SSL server certificate issued by LetsEncrypt or Comodo. Most of the websites had the title “Kawaii File Hosting” and “Pomf File Hosting”. On further research, we found that the websites were clones built using a file uploading and sharing platform named Pomf.
Pomf file uploading and sharing platform
As per the archiveteam.org website, pomf.se was a Sweden-based website providing filesharing, paste and torrent tracker services. The website was discontinued on 2015-06-08. The website now contains details of the source code hosted in github, temporary hosting, and a list of the known clones in a google spreadsheet as shown in Figure 3.
Figure 3: pomf.se website
The recommended configuration of pomf consists of NGiNX, MariaDB, PHP 7.0, and LetsEncrypt. A google search with keywords “Kawaii File Hosting “ and “ Pomf File Hosting” led us to the discovery of the existence of several pomf clones with a diversified set of TLDs. We also found several google results reporting malware delivered from these clones. This led us to the question of why the threat actors were using these services for delivering malware.
Pomf clones are very helpful for threat actors for invoking a payload and staying under the radar such as
- One click uploading with no registration
- Direct download link of the uploaded file using a random link generator
- Support of SSL (Letsencrypt, Comodo)
- All the websites we observed do not collect or log any user data
The use of pomf clones has been extensively discussed in several offensive attack forums for hosting and delivering malware. Most of the websites are also not indexed by search engines, thereby ensuring smooth delivery of malware. As shown in Figure 4, one such article we observed, titled, ‘Targeted Spreading’ details the use of pomf.cat for hosting malware.
Figure 4: Targeted Spreading using pomf.cat
Hackshit service
Interestingly, all services