EvilGophish Unhooked: Insights Into the Infrastructure and Notable Domains

Introduction

In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.

Open-source phishing kits continue to lower the barrier to entry for threat actors to launch campaigns using domains that mimic well-known organizations.

This blog post dives into some of EvilGophish's evasion tactics and demonstrates how identifying administrative panels can assist defenders and researchers in preemptively exposing this infrastructure before weaponization.

The Anatomy of EvilGophish Infrastructure

EvilGophish, authored by fin3ss3g0d and written in Go, integrates Evilginx3, a man-in-the-middle attack framework, with GoPhish, an open-source phishing platform. GoPhish handles email distribution, while Evilginx3 offers a campaign statistics dashboard and hosts phishing landing pages.

All of the above features allow users to send emails and SMS and track information during campaigns from a browser.

While installation and setup details are beyond the scope of this post, we'll instead focus on the unique traits that make this open-source tool challenging to detect for some defenders.

CloudFlare Turnstile

CloudFlare Turnstile is a free CAPTCHA service designed to safeguard websites from bots through verification. Its ease of website integration bolsters security and enhances potential victims' perceived legitimacy.

Although not exclusive to EvilGophish, various phishing actors have adopted Turnstile to prolong the exposure of their malicious infrastructure and defeat online scanners. The verification pages are easily modified, which further assists in social engineering.

Below is an example Turnstile web page.

The repository includes an example CloudFlare Turnstile HTML template for users to get started. While many will customize these templates, some may use the defaults.

We’ll leave the detection of these pages as an exercise to the reader, but it’s worth noting that the template below is still actively used and scanned.

Figure 3 below shows the Turnstile template from GitHub.

Like redirector tools RedGuard and RedWarden, EvilGophish enables operators to set up redirect rules that enhance defense evasion.

These rules ensure requests failing the allowlist check or meeting specific criteria are redirected to a legitimate page rather than the intended phishing site.

While RedGuard and RedWarden can be detected by their unique HTTP response headers, our next section will concentrate on identifying EvilGophish servers through the login pages.

Detection Opportunities: How We Identify EvilGophish

Before we examine the login pages, it's noteworthy that Gophish usage significantly outpaces EvilGophish's.

EvilGophish utilizes the GoPhish GUI built on an HTTP server to display campaign results to operators better.

A sample login page is depicted below.

These publicly accessible pages allow our researchers to create signatures for new instances of EvilGophish as soon as they are stood up. If you’re looking at detection rules for HTML pages, look for text that not only stands out but would result in breaking the webpage if a threat actor were to remove it.

In addition to fingerprinting specific HTML text for detection, Hunt also looks for URL elements such as /login?next=. Combining these two ensures we provide reliable, up-to-date information to our users.

Tools such as proxies, redirects, and CloudFlare Turnstile can hinder defenders and researchers from discovering phishing pages intended to steal credentials.

However, detecting these admin panels is crucial for identifying the associated domains, giving us valuable insight into the threat actors' targets.

The above graphs illustrate the most popular hosting companies, DigitalOcean being the most popular by a large margin, and hosting countries and cities. Let’s look at some active domains we’ve encountered attempting to mimic reputable organizations.

A Closer Look at Some Interesting Domains

We encountered several routinely spoofed companies, such as Microsoft, chat, and digital currency trading apps, during our research. The Network Observables section at the end of this post lists a non-exhaustive list of domains that caught our attention.

During our analysis, one domain that caught our attention was it-avinc[.]com, previously unseen in other phishing campaigns. We discovered a similar domain, avinc[.]com belongs to AeroVironment, Inc., a U.S. manufacturer of unmanned aircraft systems.

Six domains resolve to the IP address 143.198.224[.]30, which is hosted on DigitalOcean:

• validate.it-avinc[.]com
• example.it-avinc[.]com
• account.it-avinc[.]com
• www[.]it-avinc[.]com
• it-avinc[.]com
• login.it-avinc[.]com

Our team has been monitoring this IP since it was established approximately two weeks ago. Many of the associated domains currently display the Apache2 default splash page.

Notably, the domain validate.it-avinc[.]com initially redirected users to the legitimate AeroVironment website. However, this redirect is no longer active, and the page now merely returns the above splash page.

While this could likely be a red team operation aimed at raising employee awareness if it is a malicious actor, mimicking a UAS company during heightened global tensions and increased demand for such services is intriguing.

We will continue to monitor this infrastructure and will update this post if we detect any indications of malicious activity.

Wrap-Up

Monitoring and analyzing the infrastructure and tactics of phishing campaigns using software like EvilGophish is essential for staying ahead of threat actors and red teams. Our continuous efforts in threat hunting and brand protection enable us to provide fast, accurate, and reliable results.

Stay tuned for future updates as we uncover more insights and continue to improve the Hunt platform for our users.

Network Observables Snippet