[Phishing kit] M&T Bank – Telegram exfiltration kit, without any Telegram link

No comments

One of the latest kits downloaded by StalkPhish targets customers of the online bank M&T. It has a special feature that we wanted to share with you. We still blogged about the use of Telegram by scammers, but this kit present an interesting new trick.

M&T Bank ‘xx’ phishing kit front page

First observations

As many, the archive of this kit has been left on the server by the scammer. We named this kit ‘xx‘ because the archive presents a xx.php file. This kit is only composed of 2 pages, a PHP file to process the collected data and an HTML file:

Phishing kit Zip archive content

The HTML page has no specificities, the links to the original site are kept, as well as the images that are called from the original server, which makes it a particularly easy to detect phishing kit as long as the HTTP referers are monitored.

The collected data are then sent to the xx.php file:

call to the xx.php script

Exfiltration script

The xx.php script looks similar to a lot of phishing kits, and more specifically to an existing M&T Bank NFL kit (see https://github.com/t4d/PhishingKit-Yara-Rules/blob/master/PK_MTB_NFL.yar):

xx.php file

What is particularly interesting here is the email address.

Using Telegram through email address

While many scammers usually use Gmail, Yandex, Yahoo, Protonmail, etc… email addresses, this actor uses an etlgr.com email address. This domain is used by a platform that offers to reroute data sent to an email address, to a Telegram bot:

You just have to launch, in your Telegram app, a conversation with the proposed bot, to generate an email address:

Screenshot from etlgr.com website

Once the email address generated, the attacker can then declare it in the exfiltration script to send the stolen data, via email, to the Telegram bot.

The bot, the service and the OpSec

The bot offers a help section with commands to configure the service and subscription, as you can see here:

Bot help

One of the most interesting command is the subscription one, command you can use to retrieve informations about your account… or the scammer one! This command generate a subscription management link to the subscription page which use your ID account.

Subscription command, with subscription management link

Then you can modify the link using the chat ID (in email address, the ID before the @etlgr.com) to have access to scammer’s informations:

Scammer’s informations on the subscription page

We can observe several things here:

  • the scammer purchased a one year subscription, which will expires on 2022-11-17
  • you can pay using Bitcoin
  • you can find a link to the subscriber Telegram profile page:
Scammer’s Telegram profile

Then you can now continue your investigations on the scammer if you want to go further, but this is not the purpose of this post.

Search and destroy

In order to search for this type of kit you can use the StalkPhish.io API using the URL search and containing the string “Hajjjerr.htm” or “mbankss” (you can register on stalkphish.io for free here: https://stalkphish.io), then you will retrieve a list of URLs where those phishing kit was installed:

$ curl -H “authorization: Token YOUR_STALKPHISH.IO_API_TOKEN” https://api.stalkphish.io/api/v1/search/url/Hajjjjerr.htm|jq

Stalkphish.io API extraction

Then you can start your takeover campaign!

IOCs

Kit’s zip file hash {SHA256}:
f43a06a42b87920c300929003787fc3c6a3b7f0fb7f0f97726c9f2f3f8c0dd80

Contact e-mail:
‘784320094\\\\@etlgr[.]com’

Associated scammer infos:
‘Don Dari’, ‘\\\\@dondarigh’, https[:]//t.me/dondarigh

PhishingKit Yara Rule:
PK_MTB_xx.yar

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s