In this Malware Analysis Spotlight, we are investigating a variant of the phishing kit created by Xbalti. Originally, there were two phishing kits developed by Xbalti. The first one is targeting Chase Bank customers, while the other one, which is the topic of this spotlight is targeting Japanese Amazon customers. The variant that we are looking at seems to have been created by Chinese speakers judging by the comments found in the server-side files (Figure 1 right). The intended victims are Japanese speakers who are using the Japanese version of Amazon. Both PC and mobile users are at risk.
The initial phishing page sent to the victim is intended to collect the email address associated with an Amazon account (Figure 1 left). After submitting it, the victim gets redirected to the next stage, which is collecting the password for the account. The Xbalti phishing kit and this variant don’t stop there. After collecting the credentials a new stage is presented, which looks like a floating box on top of the original Amazon homepage. It is responsible for collecting the billing information associated with the victim. It collects the name, address (including the prefecture, city, and zip code), phone number, and birthday. Only when the form is filled is the victim allowed to move to the next stage. Then, the attacker collects the victim’s credit card information. If the credit card is Visa, JCB, or MasterCard the phishing kit is also able to collect information associated with the 3D Secure protocol. Otherwise, the victim is directly redirected to a form, which expects the credentials related to the email associated with the account.
VMRay Analyzer is able to detect Xbalti-based phishing attempts via multiple indicators, which determine that the page pretends to belong to Amazon. Just the initial stage is enough for a malicious verdict. Additionally, with YARA we are able to detect different stages of the attack and attribute them to an Xbalti-based phishing kit (Figure 2).
Figure 2: VMRay Threat Identifiers – Heuristic rules and YARA detecting the phishing attempt.
Figure 3: VMRay Behavior Tree – investigate each request-response pairs.
Phishing Kit Structure
The phishing kit is divided into PC and mobile versions. We can also see that the core is built around the Xbalti kit (Figure 4). This variant phishing kit, as opposed to the original, doesn’t have an admin panel nor the ability to dynamically change the path from where the pages are served, which might’ve made the detection harder for certain services.
Figure 4: The structure of the analyzed phishing kit.
Collecting Initial Login Credentials
The phishing kit is fairly simple. When a client connects to the server, the server always checks if it’s an automated bot. The logic is simple and is based on a list of blocked hostnames and banned IP address ranges. If a match is detected the server redirects to the actual amazon page (Figure 5). It appears that the modified kit still uses amazon.com as the final destination, although the phishing target is amazon.co.jp.
Figure 5: Snippets of the antibots.php file responsible for detecting blocked IPs and hostnames.
This variant of the Xbalti phishing kit can handle both – a desktop version of the Amazon webpage and also a mobile version. The logic to determine which pages to serve is based on the user agent string. If it contains any of the keywords listed in the source code as mobile agents, it redirects the victim to the mobile version. Otherwise, it proceeds to the desktop version. In this spotlight, we’ll be focusing on the latter.
When a form with a filled email address is submitted, the victim is redirected to a sign-in page (signin.php?login), which collects the password (Figure 7). After a subsequent submission, the next stage of stealing the billing information is presented.
Figure 7: Second stage of the phishing attack prompting for a password.
Collecting Billing Information
After a “successful” login, the phishing kit presents the victim with the Amazon homepage and something like a floating form on top that prevents any interaction with the website (Figure 8 left). This and any of the subsequent stages always use a base code implemented in /pc/view/flow.php, which then uses the PHP expression include to include the actual form depending on the current stage. For example, the billing form is implemented in /pc/view/cindex.php (Figure 8 right).
Figure 8: The third stage of the phishing attack – billing information (left) and initial PHP script responsible for serving the billing page (right).
Collecting Credit Card Information
The form responsible for credit card information is expecting the credit card holder, the credit card number, the expiration date, and the security code (CVV) (Figure 9). The phishing kit then uses the binlist service to collect the card’s metadata, but only extracts the scheme and the bank name. The scheme is used to decide if 3D Secure passwords should also be collected.
Figure 9: The fourth stage of the attack – credit card information (left) and code responsible for looking up the CC metadata (right).
As we’ve seen in this Malware Analysis Spotlight a phishing kit can be easily repurposed with minimal effort to target another group of victims. Mapping the observed behavior to generic rules the way VMRay’s VTIs do it, allows us to detect such attempts and provide a malicious verdict even if the phishing kit was modified. Additionally, using VMRay Analyzer we can observe that the phishing page and its resources are accessed from URL paths that directly correspond to the phishing kit structure. It’s a potential way to detect further attempts of this variant of the Xbalti phishing kit.
Xbalti Phishing Kit Variant
URLs & Paths
hxxps://amazom[.]ideainternational[.]cn/pc/ /pc/homepage/?update_billing /pc/homepage/Card.php?Update_Your_Card /pc/js/sire.form.js