Key findings
- A phishing toolkit that we named “Premium panel”, due to the presence of the sentence “Live Control Panel Premium”. This toolkit is comprised of a panel composed of multiple .php pages and .js scripts that handle victim credentials logging and redirection to other pages.
- Phishing domains masquerading as login pages from multiple renown companies in various industries, mostly banking and logistics. The companies usurped are mostly Western, with exceptions in Saudi Arabia, Israël, South Africa, Taïwan, Qatar, Guatemala.
- Strategic analysis of the different phishing campaigns that used this toolkit, including companies usurped, sectors and countries targeted.
- Insight into the connection between the phishing domains and the panel used to receive details and credentials from victims. We discovered a method to track new domains linked to the “Premium panel” phishing toolkit. Threat actors used either compromised legitimate domains to host their phishing pages, hosted their websites using temporary/free domain names, or registered domain spoofing the usurped companies’ brand. Telegram tokens and id found on unprotected panels can be used to track clusters and threat actors targeting specific countries and industries.
Introduction
Phishing is still the most common initial access vector used by threat actors worldwide. Phishing can be used for a variety of purposes, including credentials harvesting and malware delivery. As far as phishing for credentials is concerned, Intrinsec CTI discovered a phishing toolkit that has been used for at least 2 years. While the author of this toolkit was not identified, we discovered means to track this threat and produce actionable content for defences. Phishing toolkits are still relevant as even low-tier threat actor(s) can easily set them up, which usually inflates the number of campaigns seen in the wild. This is what we observed, as threat actor(s) are using this toolkit, that we named “Premium panel” due to the presence of a specific string, in various campaigns usurping mostly European companies in selected industries.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.
