EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

Published on

Published on

Published on

Aug 13, 2024

Aug 13, 2024

Aug 13, 2024

EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains
EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains
EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains
TABLE OF CONTENTS

Introduction

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Open-source phishing kits continue to lower the barrier to entry for threat actors to launch campaigns using domains that mimic well-known organizations.

This blog post dives into some of EvilGophish's evasion tactics and demonstrates how identifying administrative panels can assist defenders and researchers in preemptively exposing this infrastructure before weaponization.

The Anatomy of EvilGophish Infrastructure

https://app.hunt.io/images/blogs/evilGophish/figure_1.webp
Figure 1: EvilGophish attacker infrastructure from project README (Source: GitHub)

EvilGophish, authored by fin3ss3g0d and written in Go, integrates Evilginx3, a man-in-the-middle attack framework, with GoPhish, an open-source phishing platform. GoPhish handles email distribution, while Evilginx3 offers a campaign statistics dashboard and hosts phishing landing pages.

All of the above features allow users to send emails and SMS and track information during campaigns from a browser.

While installation and setup details are beyond the scope of this post, we'll instead focus on the unique traits that make this open-source tool challenging to detect for some defenders.

CloudFlare Turnstile

CloudFlare Turnstile is a free CAPTCHA service designed to safeguard websites from bots through verification. Its ease of website integration bolsters security and enhances potential victims' perceived legitimacy.

Although not exclusive to EvilGophish, various phishing actors have adopted Turnstile to prolong the exposure of their malicious infrastructure and defeat online scanners. The verification pages are easily modified, which further assists in social engineering.

Below is an example Turnstile web page.

https://app.hunt.io/images/blogs/evilGophish/figure_2.webp
Figure 2: Example CloudFlare Turnsteil page

The repository includes an example CloudFlare Turnstile HTML template for users to get started. While many will customize these templates, some may use the defaults.

We’ll leave the detection of these pages as an exercise to the reader, but it’s worth noting that the template below is still actively used and scanned.

Figure 3 below shows the Turnstile template from GitHub.

https://app.hunt.io/images/blogs/evilGophish/figure_3.webp
Figure 3: Turnstile HTML template (Source: EvilGophish)

Like redirector tools RedGuard and RedWarden, EvilGophish enables operators to set up redirect rules that enhance defense evasion.

These rules ensure requests failing the allowlist check or meeting specific criteria are redirected to a legitimate page rather than the intended phishing site.

While RedGuard and RedWarden can be detected by their unique HTTP response headers, our next section will concentrate on identifying EvilGophish servers through the login pages.

Detection Opportunities: How We Identify EvilGophish

Before we examine the login pages, it's noteworthy that Gophish usage significantly outpaces EvilGophish's.

https://app.hunt.io/images/blogs/evilGophish/figure_4.webp
Figure 4: Hunt Active C2 Servers page showing GoPhish & EvilGophish servers (Try it here).

EvilGophish utilizes the GoPhish GUI built on an HTTP server to display campaign results to operators better.

A sample login page is depicted below.

https://app.hunt.io/images/blogs/evilGophish/figure_5.webp
Figure 5: Screenshot of an EvilGophish login page.

These publicly accessible pages allow our researchers to create signatures for new instances of EvilGophish as soon as they are stood up. If you’re looking at detection rules for HTML pages, look for text that not only stands out but would result in breaking the webpage if a threat actor were to remove it.

In addition to fingerprinting specific HTML text for detection, Hunt also looks for URL elements such as /login?next=. Combining these two ensures we provide reliable, up-to-date information to our users.

Tools such as proxies, redirects, and CloudFlare Turnstile can hinder defenders and researchers from discovering phishing pages intended to steal credentials.

However, detecting these admin panels is crucial for identifying the associated domains, giving us valuable insight into the threat actors' targets.

https://app.hunt.io/images/blogs/evilGophish/figure_6.webp
Figure 6: Metrics for EvilGophish servers in Hunt (Try it here)

The above graphs illustrate the most popular hosting companies, DigitalOcean being the most popular by a large margin, and hosting countries and cities. Let’s look at some active domains we’ve encountered attempting to mimic reputable organizations.

A Closer Look at Some Interesting Domains

We encountered several routinely spoofed companies, such as Microsoft, chat, and digital currency trading apps, during our research. The Network Observables section at the end of this post lists a non-exhaustive list of domains that caught our attention.

https://app.hunt.io/images/blogs/evilGophish/figure_7.webp
Figure 7: Screenshot of IPs and domains found linked to EvilGophish

During our analysis, one domain that caught our attention was it-avinc[.]com, previously unseen in other phishing campaigns. We discovered a similar domain, avinc[.]com belongs to AeroVironment, Inc., a U.S. manufacturer of unmanned aircraft systems.

https://app.hunt.io/images/blogs/evilGophish/figure_8.webp
Figure 8: Suspicious domains associated with IP 143.198.224[.]30 *Note EvilGophish is detected on port 3333

Six domains resolve to the IP address 143.198.224[.]30, which is hosted on DigitalOcean:

  • validate.it-avinc[.]com
  • example.it-avinc[.]com
  • account.it-avinc[.]com
  • www[.]it-avinc[.]com
  • it-avinc[.]com
  • login.it-avinc[.]com

Our team has been monitoring this IP since it was established approximately two weeks ago. Many of the associated domains currently display the Apache2 default splash page.

Notably, the domain validate.it-avinc[.]com initially redirected users to the legitimate AeroVironment website. However, this redirect is no longer active, and the page now merely returns the above splash page.

https://app.hunt.io/images/blogs/evilGophish/figure_9.webp
Figure 9: Urlscan screenshot of validate.it-avinc[.]com redirect (Source: urlscan)

While this could likely be a red team operation aimed at raising employee awareness if it is a malicious actor, mimicking a UAS company during heightened global tensions and increased demand for such services is intriguing.

https://app.hunt.io/images/blogs/evilGophish/figure_10.webp
Figure 10: Legitimate AeroVironment site, avinc[.]com

We will continue to monitor this infrastructure and will update this post if we detect any indications of malicious activity.

Wrap-Up

Monitoring and analyzing the infrastructure and tactics of phishing campaigns using software like EvilGophish is essential for staying ahead of threat actors and red teams. Our continuous efforts in cyber threat hunting and brand protection enable us to provide fast, accurate, and reliable results.

Stay tuned for future updates as we uncover more insights and continue to improve the Hunt platform for our users.

Network Observables Snippet

IP AddressDomainASNNotes
4.216.156[.]191login.microsoft-o365-account[.]comDigitalOceanMicrosoft Office 365 login spoof
178.128.196[.]190fairdrop[.]app
chattie[.]org
datafund[.]io
chattie[.]app
DigitalOceanMimics solana blockchain air drop site, fairdrop[.]org,
chatbot app, chatie
142.93.78[.]17callcabinet[.]net
dev-divine.magecommerce.com[.]br
DigitalOceanSpoof compliance call recording company,
callcabinet[.]com
209.97.180[.]233m365installation[.]comDigitalOceanMicrosoft Office 365 spoof
40.81.128[.]161anacap[.]co
www1.anacap[.]co
login2.anacap[.]co
adfs.anacap[.]co
MicrosoftLikely attempt to mimic private equity firm,
anacap[.]com
TABLE OF CONTENTS

Introduction

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Open-source phishing kits continue to lower the barrier to entry for threat actors to launch campaigns using domains that mimic well-known organizations.

This blog post dives into some of EvilGophish's evasion tactics and demonstrates how identifying administrative panels can assist defenders and researchers in preemptively exposing this infrastructure before weaponization.

The Anatomy of EvilGophish Infrastructure

https://app.hunt.io/images/blogs/evilGophish/figure_1.webp
Figure 1: EvilGophish attacker infrastructure from project README (Source: GitHub)

EvilGophish, authored by fin3ss3g0d and written in Go, integrates Evilginx3, a man-in-the-middle attack framework, with GoPhish, an open-source phishing platform. GoPhish handles email distribution, while Evilginx3 offers a campaign statistics dashboard and hosts phishing landing pages.

All of the above features allow users to send emails and SMS and track information during campaigns from a browser.

While installation and setup details are beyond the scope of this post, we'll instead focus on the unique traits that make this open-source tool challenging to detect for some defenders.

CloudFlare Turnstile

CloudFlare Turnstile is a free CAPTCHA service designed to safeguard websites from bots through verification. Its ease of website integration bolsters security and enhances potential victims' perceived legitimacy.

Although not exclusive to EvilGophish, various phishing actors have adopted Turnstile to prolong the exposure of their malicious infrastructure and defeat online scanners. The verification pages are easily modified, which further assists in social engineering.

Below is an example Turnstile web page.

https://app.hunt.io/images/blogs/evilGophish/figure_2.webp
Figure 2: Example CloudFlare Turnsteil page

The repository includes an example CloudFlare Turnstile HTML template for users to get started. While many will customize these templates, some may use the defaults.

We’ll leave the detection of these pages as an exercise to the reader, but it’s worth noting that the template below is still actively used and scanned.

Figure 3 below shows the Turnstile template from GitHub.

https://app.hunt.io/images/blogs/evilGophish/figure_3.webp
Figure 3: Turnstile HTML template (Source: EvilGophish)

Like redirector tools RedGuard and RedWarden, EvilGophish enables operators to set up redirect rules that enhance defense evasion.

These rules ensure requests failing the allowlist check or meeting specific criteria are redirected to a legitimate page rather than the intended phishing site.

While RedGuard and RedWarden can be detected by their unique HTTP response headers, our next section will concentrate on identifying EvilGophish servers through the login pages.

Detection Opportunities: How We Identify EvilGophish

Before we examine the login pages, it's noteworthy that Gophish usage significantly outpaces EvilGophish's.

https://app.hunt.io/images/blogs/evilGophish/figure_4.webp
Figure 4: Hunt Active C2 Servers page showing GoPhish & EvilGophish servers (Try it here).

EvilGophish utilizes the GoPhish GUI built on an HTTP server to display campaign results to operators better.

A sample login page is depicted below.

https://app.hunt.io/images/blogs/evilGophish/figure_5.webp
Figure 5: Screenshot of an EvilGophish login page.

These publicly accessible pages allow our researchers to create signatures for new instances of EvilGophish as soon as they are stood up. If you’re looking at detection rules for HTML pages, look for text that not only stands out but would result in breaking the webpage if a threat actor were to remove it.

In addition to fingerprinting specific HTML text for detection, Hunt also looks for URL elements such as /login?next=. Combining these two ensures we provide reliable, up-to-date information to our users.

Tools such as proxies, redirects, and CloudFlare Turnstile can hinder defenders and researchers from discovering phishing pages intended to steal credentials.

However, detecting these admin panels is crucial for identifying the associated domains, giving us valuable insight into the threat actors' targets.

https://app.hunt.io/images/blogs/evilGophish/figure_6.webp
Figure 6: Metrics for EvilGophish servers in Hunt (Try it here)

The above graphs illustrate the most popular hosting companies, DigitalOcean being the most popular by a large margin, and hosting countries and cities. Let’s look at some active domains we’ve encountered attempting to mimic reputable organizations.

A Closer Look at Some Interesting Domains

We encountered several routinely spoofed companies, such as Microsoft, chat, and digital currency trading apps, during our research. The Network Observables section at the end of this post lists a non-exhaustive list of domains that caught our attention.

https://app.hunt.io/images/blogs/evilGophish/figure_7.webp
Figure 7: Screenshot of IPs and domains found linked to EvilGophish

During our analysis, one domain that caught our attention was it-avinc[.]com, previously unseen in other phishing campaigns. We discovered a similar domain, avinc[.]com belongs to AeroVironment, Inc., a U.S. manufacturer of unmanned aircraft systems.

https://app.hunt.io/images/blogs/evilGophish/figure_8.webp
Figure 8: Suspicious domains associated with IP 143.198.224[.]30 *Note EvilGophish is detected on port 3333

Six domains resolve to the IP address 143.198.224[.]30, which is hosted on DigitalOcean:

  • validate.it-avinc[.]com
  • example.it-avinc[.]com
  • account.it-avinc[.]com
  • www[.]it-avinc[.]com
  • it-avinc[.]com
  • login.it-avinc[.]com

Our team has been monitoring this IP since it was established approximately two weeks ago. Many of the associated domains currently display the Apache2 default splash page.

Notably, the domain validate.it-avinc[.]com initially redirected users to the legitimate AeroVironment website. However, this redirect is no longer active, and the page now merely returns the above splash page.

https://app.hunt.io/images/blogs/evilGophish/figure_9.webp
Figure 9: Urlscan screenshot of validate.it-avinc[.]com redirect (Source: urlscan)

While this could likely be a red team operation aimed at raising employee awareness if it is a malicious actor, mimicking a UAS company during heightened global tensions and increased demand for such services is intriguing.

https://app.hunt.io/images/blogs/evilGophish/figure_10.webp
Figure 10: Legitimate AeroVironment site, avinc[.]com

We will continue to monitor this infrastructure and will update this post if we detect any indications of malicious activity.

Wrap-Up

Monitoring and analyzing the infrastructure and tactics of phishing campaigns using software like EvilGophish is essential for staying ahead of threat actors and red teams. Our continuous efforts in cyber threat hunting and brand protection enable us to provide fast, accurate, and reliable results.

Stay tuned for future updates as we uncover more insights and continue to improve the Hunt platform for our users.

Network Observables Snippet

IP AddressDomainASNNotes
4.216.156[.]191login.microsoft-o365-account[.]comDigitalOceanMicrosoft Office 365 login spoof
178.128.196[.]190fairdrop[.]app
chattie[.]org
datafund[.]io
chattie[.]app
DigitalOceanMimics solana blockchain air drop site, fairdrop[.]org,
chatbot app, chatie
142.93.78[.]17callcabinet[.]net
dev-divine.magecommerce.com[.]br
DigitalOceanSpoof compliance call recording company,
callcabinet[.]com
209.97.180[.]233m365installation[.]comDigitalOceanMicrosoft Office 365 spoof
40.81.128[.]161anacap[.]co
www1.anacap[.]co
login2.anacap[.]co
adfs.anacap[.]co
MicrosoftLikely attempt to mimic private equity firm,
anacap[.]com

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.