In this report, we will provide an overview of a recent malware threat, its evolution, and new threat vectors associated with it. Additionally, we will discuss the refinement of Security Information and Event Management (SIEM) rules to detect this threat effectively. We will also list the Indicators of Compromise (IOCs) associated with the malware and suggest preventive measures for organizations. Finally, we will conclude with key takeaways.
The malware under consideration is EvilProxy, a reverse proxy-based phishing tool. EvilProxy has gained notoriety for its ability to conduct advanced phishing campaigns and efficiently target high-profile executives in prominent organizations. It combines Adversary-in-the-Middle (AitM) phishing techniques with sophisticated Account Takeover (ATO) methods to compromise accounts protected by multi-factor authentication (MFA) and session cookies.
Upgrade and New Threat Vector
EvilProxy has evolved with time and now poses an even greater threat. Some of the key updates and new threat vectors include:
- MFA Phishing-as-a-Service (PhaaS): Threat actors now have access to MFA PhaaS using open-source kits, making it easier for less skilled actors to conduct phishing attacks against platforms like Gmail, Microsoft, and Twitter.
- Customizable Phishing Interfaces: Phishing interfaces like EvilProxy offer customizable features such as proxy identification and geofencing, enabling more sophisticated attacks.
- Targeted Microsoft 365 Attacks: An ongoing campaign using EvilProxy specifically targets Microsoft 365 user accounts. Attackers send phishing emails impersonating trusted services, making it harder to detect.
- Changes in Attack Flow by Geolocation: Researchers have observed that the attack flow may change based on the geographical location of user traffic. Specific geographical locations, such as Turkish IP addresses, may be redirected to legitimate websites to evade detection.
SIEM Rules Refinement
To effectively detect and respond to the EvilProxy threat, organizations should consider refining their SIEM rules. Key refinements may include:
- Behavioural Anomalies: Create rules that detect unusual login behaviour, such as multiple failed login attempts followed by a successful login from a new location.
- Traffic Redirection: Monitor for signs of traffic redirection, especially when users are directed through open, legitimate redirectors like youtube.com.
- Phishing Email Analysis: Develop rules to analyse incoming emails for phishing indicators, including sender impersonation and malicious links.
- Geolocation-Based Rules: Implement geolocation-based rules to detect deviations in attack flows based on the source of user traffic.
Indicators of Compromise (IOCs)
To assist organizations in identifying potential EvilProxy activity, the following IOCs have been associated with the malware:
- IP Addresses:
These IOCs can be valuable in threat detection and mitigation efforts.
To protect against EvilProxy and similar threats, organizations should consider implementing the following preventive measures:
- Employee Training: Conduct regular phishing awareness training for employees to help them recognize and report phishing attempts.
- MFA Best Practices: Encourage the use of strong MFA methods and educate users on the importance of safeguarding MFA tokens.
- Email Filtering: Employ advanced email filtering solutions to detect and block phishing emails before they reach users' inboxes.
- SIEM and Threat Detection: Invest in advanced SIEM solutions and regularly update SIEM rules to detect evolving threats like EvilProxy.
- Patch Management: Keep systems and software up to date to minimize vulnerabilities that threat actors may exploit.
- Incident Response Plan: Develop a robust incident response plan to quickly address and mitigate potential security incidents.
- Monitor Geolocation-Based Traffic: Pay special attention to traffic originating from locations known for malicious activity and consider applying additional security controls.
EvilProxy represents a significant and evolving threat in the realm of phishing and account takeover attacks. As threat actors continue to refine their techniques and exploit multi-factor authentication, organizations must remain vigilant. Effective preventive measures, refined SIEM rules, and ongoing user training are essential components of a comprehensive defence against this and similar threats. By understanding the evolving landscape of cyber threats, organizations can better protect their critical assets and data.