In this Malware Analysis Spotlight, we will take a look at a phishing kit related to Kuzuluy, also known as KuzuluyArt. According to Twitter user MaelSecurity, there was a Phishing-as-a-Service associated with Kuzuluy impersonating PayPal in late 2019. At the time of our research, the service is no longer available, but we found multiple variants of a Kuzuluy kit targeting PayPal customers from Germany, Austria, and Slovakia.
Figure 1: Phishing page from Kuzuluy (left) and the legitimate PayPal login page (right).
Figure 1. shows the phishing page (left) asking for PayPal credentials. Compared to the legitimate online presence (right), we can see the phishing page uses a similar look and style that can fool inattentive page visitors.
Figure 2: VMRay Analyzer – VTI matches of the phishing page.
Regardless of the similarity, the VMRay Platform successfully detects the phishing attempt of the Kuzuluy kit. The VTI matches reveal it recognizes the page pretending to be the legitimate PayPal login page based on heuristics (Figure 2). For example, the phishing page uses the same title and contains a logon form.
Figure 4: Content of the script CheckLoginAndSend.php.
The script named CheckLoginAndSend.php sends the credentials via email and additionally writes the data into a file on the server (Figure 4).
Like most kits, this one uses multiple stages in which it tries to protect itself against web bots and to ensure the visitor is a potential victim. After all of these checks are passed, it redirects to the phishing page as seen in Figure 1. By looking at the index page in the root folder, we can see that the page includes nine scripts that are responsible for blocking bots and common (analysis) tools. Each of these scripts works similarly. They compare some of the visitor’s properties like his IP address or user-agent string against a blocklist. On a match, the script stops the visitor from reaching the phishing page by sending a 404-page and redirecting to “hxxp:://2m[.]ma”.
Figure 5: Stage testing the remote host name (left) and the ISP (right) against a blocklist.
Figure 5. shows two examples of those tests. On the left, the kit resolves the host name of the client and sends a 404-page if it contains one of the strings from the block list “$f6650d6e”. Similar to the first test, the host name is compared again against another list that includes AV vendors (Figure 5 right). Next, the script utilizes the third-party service “hxxp://ipinfo.io” to test the client’s ISP. Note that the server is connecting to the service and not the client.
After passing all of the tests, Kuzuluy generates a random id and makes a local copy of the “art” directory to “/Reference/Ref-ID-<random id>”. Next, it redirects to the newly-created copy which leads us to the previously seen phishing page in Figure 1. The copy-behavior allows us to identify URLs referencing the phishing page of Kuzuluy.
A search for this string reveals the kit has been used in the wild since May. In addition, we found multiple archives that are labeled as “cracked” or “leaked” associated with Kuzuluy. Criminals sell their phishing kits online or provide a Phishing-as-a-Service that customers can use to start their own phishing campaign.
Depending on the kit, the customer can configure and customize it to his own needs. Typical examples are the language and delivery method of stolen credentials. More advanced kits provide features to automatically setup servers and distribute spam emails. Criminals enrich their kits with some kind of copy protection to protect their kits. A leaked or cracked version of the kit claims to be a version without those protections.
In this Malware Analysis Spotlight, we have taken a look at a Kuzuluy phishing kit used in the wild. We discussed how phishing kits can block certain (analysis) tools or ISPs, and presented indicators to detect phishing attempts from the kit.