Introduction
Phishing has been known as one of the leading initial attack vectors for a long time. Here at VMRay we are continuously monitoring phishing activities in order to keep our users protected from new and existing phishing threats. In the past few months, we discovered several new phishing campaigns which we analyzed in depth in order to strengthen our detection capabilities against them. In this blog post we’d like to highlight the most recent trends we observed and provide more details about their inner workings and infrastructure. The phishing kits which we will cover are:
Phishing kit CarPhish
Phishing kit EDG
Phishing kit Tpass
Phishing kit Mamba2FA
Phishing Kit CarPhish
View the VMRay Analysis Report
Overview
CarPhish is a phishing campaign which VMRay researchers first observed during summer with its peak being in August. When a victim visits the URL linked to this phishing kit, they are initially greeted with a Cloudflare warning about a potential phishing site. This occurs because the creators of the phishing page are utilizing Cloudflare infrastructure, such as R2 buckets, for hosting. While this warning helps to protect users, it also hinders automated analysis of the page, preventing the extraction of valuable indicators by requiring user interaction. VMRay platform can proceed past this type of warning pages using our Adaptive Browser Simulation (also known as AutoUI) feature. Once the page has been dismissed, we are presented with a fake Microsoft’s OAuth 2 login form which is used to collect credentials from the victims:
Technical Details
Looking at the source of this fake login page, we can notice some obfuscated JavaScript code:
Figure 2: CarPhish’s main phishing logic One of the interesting points worth noting is the usage of “document.write()” function. This function can write content directly into the web page and is often used as a way to dynamically inject HTML or JavaScript. This obfuscation method does not hinder the analysis of the site on VMRay Platform as we are able to capture and analyze all the stages of the web page. Aside from the use of dynamic page rewriting, there are several other operations worth mentioning:
Decodes a Base64 encoded JSON document which contains AES decryption parameters as well as an encrypted payload.
Decrypts the AES payload which reveals the URL “hxxps://lumibytea[.]cbg.ru//”.
Afterwards a POST request is sent to “hxxps://lumibytea[.]cbg.ru//” with the following content:
CarPhish: First POST Request Content
This POST request content, as well as the response, can be downloaded from the VMRay’s analysis report:
The response from this request is a second stage payload which again goes through the same Base64 decoding and AES decryption process.
4. Once the second stage payload is decoded and decrypted, we can see the final HTML with over 200 references and strings related to cars. Those references introduce noise to further obfuscate the HTML payload. Moreover, depending on the  where the URL is browsed, those references can become visible instead of the logon form so that the website appears as a benign car enthusiast website to evade detections. This type of evasion does not get past VMRay’s Web Analysis which makes us provide a solid detection for this threat.
5. Finally if we decide to populate the fake Microsoft’s login form with some data, we can see that the data is being sent as a POST request to “hxxps://lumibytea[.]cbg.ru//2558.php”.
Based on the results from VirusTotal , the URL “hxxps://lumibytea[.]cbg.ru//” has only a few phishing detections even though it is used both to deliver a second stage HTML payload and for stolen data exfiltration. However, the VMRay Platform can still detect this communication and mark the CC server as an IOC:
Figure 5: VMRay Platform’s IOC tab showing detection of C2 servers of CarPhish In addition to the phishing detection, VMRay Threat Identifiers (VTIs) also highlight additional details about the phishing page:
Collection of our Yara rules which triggered on this page.
Masquerades as a legitimate Microsoft login form.
Web page and it’s resources are hosted on a known temporary web hosting service.
Figure 6: VMRay Platform’s triggered VTIs for CarPhish Phishing Kit EDG
Overview
EDG is a phishing kit which VMRay researchers discovered back in September and which was already briefly mentioned in our Detection Highlight article . In summary, this kit is crafted to mimic the login pages of email providers, tricking users into believing they are on an authentic site. The name EDG comes from the frequent appearance of pattern “EDG” in many of the URLs which were seen while investigating this phishing kit. Below is an example of a login page generated by EDG (with target information redacted):
Figure 7: EDG’s fake target login site Technical Details
Let’s explore the inner workings of this phishing kit and how it can be detected. We can start by looking at one of the initial URLs used in one of the EDG phishing campaigns:
One interesting thing about this URL is that it ends with a string which seems like it is Base64 encoded. The VMRay Platform automatically decodes and identifies this data through one of its VTIs, as demonstrated below:
Figure 8: VMRay Platform’s VTI triggering on obfuscated email from EDG
By supplying this URL to VMRay for analysis, there is an automatic redirect to the following URL:
An interesting thing to observe about this new URL is the “info”  parameter which holds the decoded email address from the previous stage. Once the page behind this new URL is fully loaded in the browser, we can see that the decoded email address is actually used to prefill the login form and load a logo of the email provider:
Figure 9: Fake target login site from EDG
To fully confirm these findings, we submitted the same URL but with a Gmail email address. The result is similar but this time with the correct branding image from Google’s mail service:
Figure 10: Fake Gmail login site from EDG
In the next stage, we can look at the source of the final phishing page. There are four main sections:
Figure 11: EDG’s initial page source
This part is JavaScript code which parses the parameters from the current URL and extracts the value from the “info”  parameter which is then assigned to the variable “go” . Besides that it defines two variables “policy”  and “priv”  whose usage will be explained a bit later in this blog post:
Figure 12: EDG’s Policy and Priv values
Set the title of the page to “Expired Session”  which is a common tactic in phishing attempts to make users believe their session has expired and that they need to log in again.
Contains a reference to an external script which could contain additional logic.
Contains an iframe  element which src  attribute is set to # . This is likely used as a placeholder and will be set at a later stage, probably with the use of the external JavaScript script mentioned in point 3.
As mentioned, the next step in analyzing this phishing kit is by looking at the external script index.js for additional logic. Since that script is rather large, following is the explanation of its most important parts:
The function GEInfo(emailAddress)  is called with the email address supplied from the “info”  parameter from the URL. This function queries the endpoint mentioned in “policy”  variable and obtains several information like the favicon, login page and container frame:
Figure 13: Obtain information about the target email provider
The data obtained from the GEInfo() function is then used to pre-fill the username and favicon on the login form as well as the “src”  attribute in the iframe .
If the user populates the password field and clicks the submit button, the function psignal(apiname, apikey)  is called with typed email and password supplied as arguments. This function sends the data to the URL defined in “priv”  via a POST request. Just like with the CarPhish phishing kit, this POST request gets processed by the VMRay Platform to extract the IOCs.
Figure 14: Extraction of stolen data in EDG
Like CarPhish phishing kit, the EDG phishing kit uses the same hosting provider to host its pages. The most notable VTIs which trigger and detect this phishing kit are as follows:
Collection of our Yara rules which triggered on EDG.
The logon page is hosted on a service known for providing temporary hosting solutions.
The initial page is hosted on a domain which was recently registered.
There is an obfuscated email address embedded in the URL.
There is a logon form detected on the page.
Figure 15: VMRay Platform’s triggered VTIs for EDG Phishing Kit TPass
Overview
TPass is a phishing kit which VMRay researchers first noticed in August and which is still active at the time of writing this blog post. By searching for a specific code artifact contained in the payload HTML file, we can findÂ
Figure 16: TPass samples on VirusTotal
Figure 17: TPass’s login site
The first suspicious indicator about this sample is that it’s hosted on IPFS  which is a decentralized file storage system. This is already an extremely suspicious indicator since IPFS is not commonly used for hosting login pages. However, this is highlighted in the analysis report by one of our VTIs:
Figure 18: VMRay Platform’s VTI which detects login pages being hosted on IPFS Another detail worth mentioning is the Norton image which is used to deceive the user into thinking that it is legit and secured login site.
Technical Details
Looking at the source of the page, we can see an interesting JavaScript snippet at the bottom of the page:
Figure 19: Event listener on enter-key release in TPass The purpose of this snippet is to register an event listener on the password entry to trigger when the Enter  key (code 13) is released. Once this happens, the button labeled “goNow”  is clicked which in turn executes its “onClick ” event listener “goNow() “. By looking at this function, we see that it extracts the given email and password and sends them to “hxxps://dimensiondata[.]lk/wp-content/zop/x3.php”:
Figure 20: Data extraction function in TPass Phishing Kit Mamba2FA
View the VMRay Analysis Report
Overview
Mamba2FA is a fairly new phishing kit which we first noticed in late September. It’s a sophisticated phishing kit, with its core logic contained within a large, obfuscated JavaScript file. It stands out for offering various themes, some of which require user interaction to access the final phishing page. There have already been several blog posts  about the inner working of this phishing kit so we will use this opportunity to go through its variety of themes and check how VMRay Platform performs against them.
Technical Details
As mentioned in the previous section, Mamba2FA comes in several version which are being controlled by a specific parameter in the URL. Each Mamba2FA phishing site comes in the form of:
where the base64 parameters, once decoded, are of the form:
sv=<appearance control>&rand=<Base64 encoded random string>&uid=<probably a User ID of a customer>
By modifying the “sv” parameter, we can choose among several different themes for the phishing page.
Voice Mail Theme
By setting “sv” to “o365_<number>_voice”, a fake voicemail overlay is presented on the web page. Once any of the buttons are clicked, the overlay disappears and shows a fake Microsoft login site. The analysis of this variant is fully automated by our AutoUI feature which dismisses the voicemail overlay and reveals the logon form for further processing by our platform, resulting in a phishing detection:
Figure 21: Voicemail overlay in Mamba2FA
Figure 22: Voicemail login in Mamba2FA
Figure 23: VMRay Platform’s VTI triggers for Mamba2FA
OneDrive Theme
This theme of Mamba2FA gets activated if the “sv” parameter is equal to “o365_<number>_one”. The page masquerades a Microsoft login form using a OneDrive background image. In that way it is trying to trick the victim to enter their credentials to make the actual files accessible:
Figure 24: OneDrive login for Mamba2FA
Figure 25: VMRay Platform’s triggered VTIs on OneDrive login theme of Mamba2FA
Generic Theme
This is the most straightforward theme of the Mamba2FA phishing kit as it just presents a regular Microsoft login page. It gets activated by setting the “sv” parameter to “o365_<number>_nom”:
Figure 26: Generic login page for Mamba2FA
Figure 26: Generic login page for Mamba2FA Figure 27: VMRay Platform’s triggered VTIs on generic login theme of Mamba2FA
Conclusion
This blog post showed how phishing campaigns are evolving at an alarming pace, with threat actors constantly refining their tactics to bypass defenses. The phishing campaigns which we covered highlight just how dynamic the threat landscape has become, as cybercriminals leverage increasingly sophisticated techniques to deceive users and evade automated analysis solutions. At VMRay, we are committed to staying ahead of these threats by continuously monitoring emerging phishing trends, enhancing our detection capabilities and empowering organizations with the knowledge and tools to stay secure.
IOCs
Phishing Kit CarPhish
 R2 Bucket URLs
Cloudflare Pages URLs
hxxps://pub-568536a8dbe34c2bbe3b82a2a36e353a[.]r2.dev/c3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwidmFsdWUiOiIxNzIxNzI1MjYyIn0sInhtc19jYyI6eyJ2YWx1ZXMiOlsiQ1AxIl19fSwiaWRfdG9rZW4iOnsibmJmIjp7ImVzc2.html hxxps://6525e753[.]reviewform.pages.dev
hxxps://pub-5aebb3ccaea14cdaacc52b1f567261d1[.]r2.dev/AEQ1trRt5FBHd0hADa5taQkI0EFcfz7Ti1PYTEvq6O4chIs2m6qI5Pj.html hxxps://gxextembarkgenintextauth[.]pages.dev
hxxps://pub-4ed99dbad1724716b54d21009d4482e4[.]r2.dev/OFF13244785676887437647647874876473768.html
hxxps://pub-57c7535374ce411aa693b02840e6a471[.]r2.dev/OFF13244785676887437647647874876473768.html
hxxps://pub-93289fa38d78496ca1d17cb19bea8286[.]r2.dev/index.html
hxxps://pub-c24f905141534dcdbacb70bc4553a313[.]r2.dev/index.html
hxxps://pub-53ef5106d03f4b84847710d6ceffefda[.]r2.dev/remit.html
hxxps://pub-46f31504ca124f32bb9cd636ef601bf7[.]r2.dev/File-doc.html
hxxps://pub-1eb92ef0cb4d466e9dcb77eb2e9b5ca1[.]r2.dev/index.html
hxxps://pub-4bd2c7cbdf3a4a209e64c0ebb42ae754[.]r2.dev/index2fa.html
hxxps://pub-b66dec0cc4eb4cfb824497aaa022db80[.]r2.dev/index.html
hxxps://pub-5dc6180bbda84df395cd2533429e3a0b[.]r2.dev/index.html
hxxps://pub-844646989c44435f804a1dd4de4e8927[.]r2.dev/index.html
Phishing Kit EDG
URLs
Extraction URLs
hxxps://cromecaat[.]com/@@/edg/assets/js/index.js
hxxps://knfashionshoes[.]shop/stoo22/edg/assets/php/policy.php
hxxps://knfashionshoes[.]shop/stoo22/edg/assets/php/priv.php
Phishing Kit TPass
URLs
Extraction URLs
hxxps://ipfs[.]io/ipfs/Qmc9W4RZThp2AB9PHnxkv15MjUGf8AHTfg1LubwKV9ipmw
hxxps://dimensiondata[.]lk/wp-content/zop/x3.php
