π§Spooky Scammers (Back for the holidays)
A new USPS SMS phishing kit is on the block
Last updated
A new USPS SMS phishing kit is on the block
Last updated
During the previous yearβs holiday season, we saw a dramatic increase in SMS phishing (smishing), specifically targeting the United States Postal Service (USPS). This holiday season seems to be no different, but this time from a different group using a whole new phishing kit.
The previous year's scammers, the Smishing Triad, sold and used a kit (poorly) written in PHP. This yearβs group, name yet unknown to myself, is using a brand-new kit written in JavaScript and TypeScript. It seems to be better written as well, with less obviously critical flaws at least.
Just like with the previous USPS phishing campaign, I dove in and started looking for vulnerabilities in this kit. Starting off was looking at the traffic going to and from the web application.
As you can see from the above photo, the traffic is rather garbled. Definitely encrypted/encoded in some way to make it harder for anyone digging into the kit.
This encoding or encryption was obviously happening on the client side in order to send the victim data to the server and also understand the responses, so I dug into the JavaScript (JS) available. The JS was gross though, highly obfuscated just like the Smishing Triad did with their PHP. This time though, there was a much easier way to deobfuscate this code.
The JS code had been obfuscated using an open-source tool called javascript-obfuscator, available at obfuscator.io. Luckily for us though, ben-sb has already created a deobfuscator specifically for obfuscator[.]io.
Passing the deobfuscation script the whole JS files from the phishing web application proved to be an issue though. Some of them were just too large and I had to switch machines to one with more RAM, along with upping the usage by allowed, in order to deobfuscate these larger scripts.
Once I had these deobfuscated versions it was much clearer what was happening, while still not perfect.
From reading through I was able to find the encryption being used for the HTTP traffic. The kit was using an encryption algorithm called Rabbit.
The kit uses the key magiaCat-request for the requests and magiaCat-response for the responses. After finding the keys to encrypt traffic, to send to the server, and decrypt incoming traffic. I was able to get a better view of what was going on. Though unfortunately not perfect though due to not having a reliable method of decrypting some of the websocket traffic.
While testing different requests I had seen being sent I found one that was particularly interesting. This one, when sent, returned a sort of config with a list of all the domains being used by the kit. This is something obviously very useful to any threat intelligence researcher so please feel free toreach out to me over at my PhantomSec.Tools email and I can pass along the request to send to get this, if you havenβt found it already yourself.
Something I also found interesting was the data submitted is stored in your local storage, encrypted with rabbit, but with the key __my_store_key_darcula_is_666.
Another item of note based on my reading through of the deobfuscated JS is that the web application will send POST requests to randomized API endpoints (ex: /api/MC4wODg5ODQxOTAxNzg0ODM2OQ==) but the base64 encoded value at the end (a random number generated) does not matter. What only matters is the content of the message, which is encrypted with the rabbit encryption I mentioned earlier.
With regards to attribution, this campaign is definitely similar to the Smishing Triadβs. The use of a large amount of domains, heavily using the .top TLD, and the fact it was written by a Chinese-language speaker (based on verbose error messages placed throughout), suggests that it is most likely from China again.
I have published the JS source code, both obfuscated and deobfuscated, on my GitHub here.
Iβll keep digging into this kit as much as I have time for but, with recently founding a company, that is limited. I hope this initial research and the finding of which request to send to get the rest of the domains will be used by the threat intelligence community to help take down these kits as fast as they pop up.
Thanks for reading!
