In this Malware Analysis Spotlight, we are investigating a variant of the phishing kit created by Xbalti. Originally, there were two phishing kits developed by Xbalti. The first one is targeting Chase Bank customers, while the other one, which is the topic of this spotlight is targeting Japanese Amazon customers. The variant that we are looking at seems to have been created by Chinese speakers judging by the comments found in the server-side files (Figure 1 right). The intended victims are Japanese speakers who are using the Japanese version of Amazon. Both PC and mobile users are at risk.
View the VMRay Platform Report for Xbalti Phishing Kit
High-level Overview of the Phishing Attack
The initial phishing page sent to the victim is intended to collect the email address associated with an Amazon account (Figure 1 left). After submitting it, the victim gets redirected to the next stage, which is collecting the password for the account. The Xbalti phishing kit and this variant don’t stop there. After collecting the credentials a new stage is presented, which looks like a floating box on top of the original Amazon homepage. It is responsible for collecting the billing information associated with the victim. It collects the name, address (including the prefecture, city, and zip code), phone number, and birthday. Only when the form is filled is the victim allowed to move to the next stage. Then, the attacker collects the victim’s credit card information. If the credit card is Visa, JCB, or MasterCard the phishing kit is also able to collect information associated with the 3D Secure protocol. Otherwise, the victim is directly redirected to a form, which expects the credentials related to the email associated with the account.
VMRay’s Phishing Detection
VMRay Analyzer is able to detect Xbalti-based phishing attempts via multiple indicators, which determine that the page pretends to belong to Amazon. Just the initial stage is enough for a malicious verdict. Additionally, with YARA we are able to detect different stages of the attack and attribute them to an Xbalti-based phishing kit (Figure 2).
The Xbalti phishing kit uses JavaScript to handle all the forms and redirections. The JavaScript code is sent in a separate web request and isn’t part of the HTML page. In the Behavior tab of the analysis, we can easily find and download the corresponding response content for a closer inspection (Figure 3).
A Closer Look at the Server Code
Phishing Kit Structure
The phishing kit is divided into PC and mobile versions. We can also see that the core is built around the Xbalti kit (Figure 4). This variant phishing kit, as opposed to the original, doesn’t have an admin panel nor the ability to dynamically change the path from where the pages are served, which might’ve made the detection harder for certain services.
Collecting Initial Login Credentials
The phishing kit is fairly simple. When a client connects to the server, the server always checks if it’s an automated bot. The logic is simple and is based on a list of blocked hostnames and banned IP address ranges. If a match is detected the server redirects to the actual amazon page (Figure 5). It appears that the modified kit still uses amazon.com as the final destination, although the phishing target is amazon.co.jp.
This variant of the Xbalti phishing kit can handle both – a desktop version of the Amazon webpage and also a mobile version. The logic to determine which pages to serve is based on the user agent string. If it contains any of the keywords listed in the source code as mobile agents, it redirects the victim to the mobile version. Otherwise, it proceeds to the desktop version. In this spotlight, we’ll be focusing on the latter.
As already mentioned the first page visible to the victim asks for an email address. The logic of collection and redirection is implemented with JavaScript in a sire.form.js file. Each stage contains a form and a corresponding JavaScript function to handle it (Figure 6).
When a form with a filled email address is submitted, the victim is redirected to a sign-in page (signin.php?login), which collects the password (Figure 7). After a subsequent submission, the next stage of stealing the billing information is presented.
Collecting Billing Information
After a “successful” login, the phishing kit presents the victim with the Amazon homepage and something like a floating form on top that prevents any interaction with the website (Figure 8 left). This and any of the subsequent stages always use a base code implemented in /pc/view/flow.php, which then uses the PHP expression include to include the actual form depending on the current stage. For example, the billing form is implemented in /pc/view/cindex.php (Figure 8 right).
Conclusion
As we’ve seen in this Malware Analysis Spotlight a phishing kit can be easily repurposed with minimal effort to target another group of victims. Mapping the observed behavior to generic rules the way VMRay’s VTIs do it, allows us to detect such attempts and provide a malicious verdict even if the phishing kit was modified. Additionally, using VMRay Analyzer we can observe that the phishing page and its resources are accessed from URL paths that directly correspond to the phishing kit structure. It’s a potential way to detect further attempts of this variant of the Xbalti phishing kit.
IOCs
Xbalti Phishing Kit Variant
c54b199fbe4fbad46548919d0ce49694fb0a2473e01afaacae506fcdc21abf19
URLs & Paths
hxxps://amazom[.]ideainternational[.]cn/pc/
/pc/homepage/?update_billing
/pc/homepage/Card.php?Update_Your_Card
/pc/js/sire.form.js