[Threat intelligence] About the Phishing as a Service tool named “Greatness”

Find a short analysis of the “Greatness” phishing kit used by a new Phishing as a Service infrastructure. Added some original IOCs for detection and hunting.

StalkPhish's avatar By StalkPhish in CERT, CSIRT, cti, hunting, investigation, OSINT, phishing, phishing kit, PhishingKit-Yara-Rules, Stalkphish, threat intelligence on
No comments

On 10 May 2023, Cisco Talos wrote a blog post introducing a new Phishing as a Service (Paas/PhaaS) tool called Greatness. This tool allows the attacker to impersonate a Microsoft Office authentication page in order to steal authentication credentials, including the second factor, with the help of an administration interface.

This threat is thought to have begun in mid-2022, and was detected in early September by our Stalkphish.io platform.

Since then, several versions of this phishing kit have been downloaded by Stalkphish.io. In fact, this kit has evolved regularly since it was first made available (see this post by svch0st ).

The phishing kit

This is what the “Greatness” phishing kit looks like when deployed (version 16, from March 2023):

As you can see below, most of the files in the kit are very heavily obfuscated:

However, some files cannot be obfuscated because they must be configured by the customer, as the config.ini file , the configuration file:

This configuration file can be used to determine the various data exfiltration vectors, as some other information:

  • data can be exfiltrated via a Telegram channel
  • data can be exfiltrated via email
  • data is written to a text file (probably used by the admin panel)
  • antibots can be activated
  • the customer needs an API key to use the kit
  • the nickname of the actor behind this infrastructure

Detection/hunting

We created a dedicated PhishingKit-Yara-rule to detect any zip files hosting the phishing kit sources: https://github.com/t4d/PhishingKit-Yara-Rules

You can use this rule on your servers for hunting, see how you can use PhishingKit-Yara-rules.

Greatness PhishingKit-Yara-rule

You can probably use this rule to hunt for kits on the VirusTotal portal too.

Additional IOCs

Cisco Talos published IOCs on a dedicated Github repository and we’ve added those collected by Stalkphish.io – which are not on the Talos list – below:

Hosting URL:

hxxp://cebamok[.]tk/secure/host7/admin/js/mj.php
hxxp://h2osolucoes[.]com[.]br/wp-includes/api/pp/admin/js/mj.php
hxxps://angry-albattani.194-58-33-187.plesk[.]page/mod/hostv17/admin/js/mj.php
hxxps://ayb[.]co[.]th/wp-includes/.qr/host7/admin/js/mj.php
hxxps://bilmariagirlshighschool[.]edu[.]bd/secure/host6/admin/js/mj.php
hxxps://buyandsave[.]co[.]business/wp-admin/js/mj.phpwidgets/host9/admin/js/mj.php
hxxps://citsolar[.]mx/wp/host12.mod/admin/js/mj.php
hxxps://ecocands[.]com/wp-content/plugins/ddqfjvf/off/host7/admin/js/mj.php
hxxps://eventbanditz[.]com/wp-content/themes/seotheme/host7/admin/js/mj.php
hxxps://gracias-mama[.]com/wp-admin/includes/dump/host9/admin/js/mj.php
hxxps://h2osolucoes[.]com.br/wp-content/api/admin/js/mj.php
hxxps://interesting-shaw.128-199-202-98.plesk[.]page/admin/js/mj.php
hxxps://ittecsistemas[.]com/wp/wp-content/host6/admin/js/mj.php
hxxps://micdev77.dreamhosters[.]com/wp-content/themes/seotheme/bomber/host7/admin/js/mj.php
hxxps://naturalerestu[.]com/wp-content/plugins/okdlrpm/office/host9/admin/js/mj.php
hxxps://nexusfleck[.]com/MSC/host10/admin/js/mj.php
hxxps://oniropagidaschool[.]gr/wp-content/plugins/ioptimization/host6/admin/js/mj.php
hxxps://ortopedica[.]com[.]mx//wp-includes/pomo/xoxo/admin/js/mj.php
hxxps://pbc-amenagement[.]fr/wp-content/qwe/host8/admin/js/mj.php
hxxps://samedayairfreight[.]com/wp-includes/certificates/.certs/host10.9/admin/js/mj.php
hxxps://smarthrservice[.]com/lmtbkmntvtfv/ioeriffe/host15/admin/js/mj.php
hxxps://wensbd[.]com/host16/admin/js/mj.php
hxxps://www.alcoholimetros-peru[.]com/wp-includes/11111111/host16/admin/js/mj.php
hxxps://www.beachbing[.]com/wp-content/office/host9/admin/js/mj.php
hxxps://www.ifudetours[.]com/wp-content/host6/admin/js/mj.php
hxxps://www.loyaukee[.]hk/secure/host7/admin/js/mj.php
hxxps://www.monomerados[.]com/wp-admin/js/mj.phpwidgets/customwidget/empty/album/admin/js/mj.php

Zip file source code:

{SHA256} 3ded1ed498a3d4c9917668c2ac52a9965f7c1c5735b524aa55d6e3e291da2d30
{SHA256} cda5597a37a2cdf3ad9a9847662ecfa4b6ca2a9db487d9b73ec45ebdcd8b7394
{SHA256} fcdf63d48705a6168bdbea8a72fafa5aa6b11ad913e14891a09386147e00a5d2
{SHA256} 9c18a156b8bc8ec3af8263f2a23ee994d629b79cdb625c972d43d341a237ad30
{SHA256} 9d4814b9c569bc17392ebddcb63ca8ec8f4a15f6a2c882aef1fbe304682f93dc
{SHA256} e3e177659ac1fed2bcbc7e904d17b1b74452366669bf629095ddb785254ce0f3
{SHA256} 4a1168c15992a3c76234e4b134a3f5074094c34e657b37e155728c41dea51804

About Stalkphish

We propose free, open source and downloadable tools, mainly focused on anti-phishing and brand identity theft (StalkPhish OSS, PhishingKit-Yara-Rules, PhishingKitHunter), check our dedicated page.

We provide enriched data related to these massive phishing campaigns, through our StalkPhish.io REST API, dedicated to digital detection and investigation of actors and their infrastructures.

Also, we regularly share knowledge and analysis of phishing kits on our StalkPhish.com (this) blog.

You can contact us for more information via our contact page.

StalkPhish

Discover more from StalkPhish - phishing, scam and brand impersonation detection

Subscribe to get the latest posts sent to your email.

Tags: , , , ,

Leave a comment