💰Systematic Destruction (Hacking the Scammers pt. 2)
Taking on the "Smishing Triad"
This is a continuation of my first post (Hacking the Scammers) and if you have not read that then I highly suggest doing so before hand.
In this post we will be covering:
Attribution of the group behind all these annoying USPS scam texts
Reversing techniques for obfuscated PHP
Custom password cracking
Backdoored smishing kits
and more...
If your looking for just IOCs and data dumps you can skip to the end. The read is worth it though so please consider sticking around :)
Looking back on just last week I never thought this is where we would be, and we are not even done. This investigation is just going deeper and deeper and I have been getting more and more information from hacking these scammers, but also from you. I can't do this alone and I need people like you to help me on this. It's as simple as copy and pasting the URL you received in that scam text message into My Site (now down since this particular campaign is over).
Now where did we leave off last week? Ah, I remember. We had just gotten access into the scammers MySQL database through SQL injection and had been able to grab files with the Local File Inclusion vulnerability. Awesome stuff right?
Well, yes it is. But this was just in one site. As it turns out this is a kit being sold. That telegram chat linked in one of the dumps I posted last week is the creator of this kit. Turns out that he is linked in each database by default.
After chatting with this individual I was able to gain some insight into who they are and what this kit is.
The creator is a current computer science student in China who is using the skills he's learning to make a pretty penny on the side. How much does this kit cost you may ask if hes making such a shiny and pretty penny? Well, it is 200 USDC (US Dollar Coin) a month, so $200 USD.
Personally I think that this is a little expensive for some cloned pages and a site shoddily developed in PHP.
Speaking of the development behind this why don't we take a look at the kit itself. Shoot, I don't have $200 to spend to get it. This was were I was going to give up but as I was googling around I found another article mentioning this Wangduoyu character.
This blog is from a wonderful company RESecurity. They have two blog posts up on their site about the "Smishing Triad" and cover more about this group than I will in this blog. They had also used SQL injection in order to get access to the admin and victim data.
Now, Wang (WDY) saw this blog post from RESecurity it seems like and had since upgraded to encrypting almost all data in the database. This was a good move on his part and almost stopped me. That was until I reached out to RESecurity and got the kit they had purchased as part of their research. Luckily for me they had the most up-to-date kit with all the same encryption and hashing being used. Unfortunately it would be a little harder than expected to reverse engineer what encryption was being used as it was almost impossible to do any static reversing on this obfuscated PHP that was running on the sites. I mean look at this junk:
But having this full kit that I could setup and run allowed me to go through and try to figure out dynamically what was happening.
First I tried adding to the pages to print certain variables. This actually broke stuff because the obfuscation is using introspection at some points making it so that adding anything to the files would just break stuff. Now my buddy Chris had been interested in what I was doing after reading my last blog post and I mentioned this issue to him. He then suggested I try using eval hooking to deobfuscate what is being executed. I had never heard of it before but it sounded promising.
After messing around a bit I found this repo that actually worked really well. Now whenever eval was executed I could see what was being executed and also manipulate it. This allowed me to get global variables at certain points throughout and also see how they were being used. My first discovery was how the usernames were being encrypted for storage in the database.
As you can see from my comments on three of the lines I was able to grab the values being set in those spots. As you might have already guessed from looking at the photo, the usernames are encrypted with AES-128-CBC using key wdy666666
and IV aes128wangduoyu8.
Amazing, we now can read the usernames for the admin users! Using a simple PHP script I wrote up we can take a look.
Up next I of course wanted to get the password hashing method using. Looking at the data admin tables the password seems to be MD5, and it is, but it is salted and also triple hashed. Strange, but I mean it wont work in hashcat by default.
From dynamically reversing using the hooked eval function I was able to get figure out how this worked.
Here are the steps for how passwords are stored:
Takes user input in and adds
wangduoyu666!.+-
to end of inputMD5 hashes the string three times
Leave it up to a scamming kit creator to be a little narcissistic.
Now with this knowledge I could crack passwords, not with hashcat or john though, I would need to create a custom cracking tool, and I did just that. This simple go script goes through and uses a wordlist to try to crack the hashes, it also uses some static rules to help get more out of it. I used this, in combo with the Kaonashi wordlist to crack over 70 of the hashes used in the admin tables.
Now, armed with some of these usernames and passwords I could login to one of the sites exposed admin panels, simply located at /admin
. Even scammers can't follow directions it seems as in the setup instructions it says to change the endpoint to something else and/or use IP whitelisting.
Now this panel is simple, just a enter a username, password, and answer a captcha and we are in.
Once logged in we are presented with a pleasant looking dashboard displaying their stats.
Theres a few other tabs around the site and so I wandered over to them to see what was up there.
One was simply settings/config, the other was the admin users management, and the last was the victim data. Now, the victim data did not have all the data collected in it and some groups seem to be exporting the data off and deleting it from the dashboard, which is a good idea because the dashboard is backdoored by the creator, which I will get to later.
Now, from this dashboard we can see the domains they are using and all the victim data still present in the SQL database. Unfortunately I can only get access to this fancy dashboard in misconfigured kits. If only there was a way to grab this data from exposed endpoints that. Oh wait. There is. While I won't post which endpoints are exposed and how you can gather this data from them I will say that I was able to dump over 22,000 unique victim records, as well as the configuration for the panels, and the domains being used all through using this API of sorts.
I ended up creating a script to login using cracked passwords to each site the passwords worked on and then dump the data for me to CSV files because there was so much.
All these victim records have been passed onto Troy Hunt and should be entered into HaveIBeenPwned in the coming weeks. Here is all the data collected on victims:
Quite a lot of personal info there, enough for scammers to use your card anywhere, even PayPal.
Now with the basics of what is happening covered I wanted to go over some things I discovered while exploiting and reversing this kit.
Backdoored Kits
You can never trust a scammer ever and even these scammers are getting scammed it seems. The creator of the kit highly obfuscated these files so people couldn't steal his kit but also to hide the fact that whenever a admin user logs in it send their info (token, user type, etc.) to his private server (which is hard coded to the kits). This allows him to just login as those people whenever he pleases and he probably doesn't use this for maintenance. It seems as if he is double dipping, getting paid to make the kit as well as getting to take other scammers collected card info.
I originally noticed this IP when I was trying to activate the kit I had setup and it was sending a similar request to the same server but to the activate.php endpoint. I then saw it again when deobfuscating the login.php file and noticed it sending back that data.
User Agent Recognition
This is pretty simple but some of the sites would check user agents to confirm that the visitor was an iOS device. To bypass this it was as simple as adding a match and replace option in Burp Suite but it did cause my tools a bit of a hassle at first before I realized what I was missing.
Managing their Servers
The scammers obviously need a proper interface to manager their sites. I mean SSH just wont do it for them, or they just don't know how to use it (and judging from their passwords most of them don't work in IT).
The scammers are pointed to use a program called BT-Panel to setup their servers. It allows them to manage their MySQL database, their website, and more. It runs on port 8888 and most servers I saw had this port open but it does use a random 6 character string as its login page so you would have to brute force find that for each site and then have the username and password to get in.
Copy Cat Campaign
While researching some of the URLs that were sent in I found that there was a minority that seemed exactly like the current "Smishing Triad" USPS campaign but their requests and backend seem to be a lot different. It even seems as though someone copied all the front end aspects of the kit and then recreated the backend because they didn't want to pay the monthly fee.
These copy cat sites didn't have many glaring issues and I was already focused on the Smishing Triad campaign so didn't dig in too much but they do load a config file that contains telegram chat IDs if they configured it. Heres one for usps.authpostbase.com:
The WDY C2 Server
Wang seems to be using this server to control all activations and also monitor/access peoples panels. Because the IP is hardcoded if this IP was taken down it was cause a bit of a hassle to the group but he could always change it and push out an updated kit to the subscribers. It would have a treasure trove of information though and would also have access to each other panel out there.
The IP is also registered to a domain that is obviously his: wangduofish.com
Here are the endpoints I was able to find for his site:
Service URLs
Each site would communicate all data back to another domain, usually on the same server, which was named the Service URL. This was where all the PHP endpoints were as well as all admin panel related endpoints, and even the dashboard itself.
Here are the URLs I collected and which service URLs each points to.
Gathering Data
Gathering data was an interesting part in all this, and still continues to be. While I did get a lot of great data from the report.smithsecurity.biz website, I got most URLs from Reddit and people posting screenshots of their texts in r/scam and r/usps. Searching through for things like "USPS text" and sorting by newest gave me tons of great information. Though most of the domains posted led back to some of the big few service URLs so not too much new data there.
Default Passwords
It seems even criminals have problems with this (we're all human I guess). The default creds for the admin panel are 'admin' and '123456'. First of all this is super dumb to have default creds, second of all could you pick a worse password?, lastly each scammer had at least one admin for the most part set it to something like '123123' or '123321'. What are these passwords people?
Up Next
From here we are going to gather more data and myself, along with some other volunteers, will be sifting through looking for patterns, attribution, and more.
Along with this I will be sending in a report to the US Postal Inspector with all the details here and more so they can have a chat with some of these scammers in the near future.
Data Dumps
Data on each of the service URLs (total victims, domains used, admin user details)
All data dumped with the SQL injection (admin tables, configs, etc.)
Last updated