EvilProxy Now Available for Purchase

10805878881?profile=RESIZE_400xA new Phishing-as-a-Service (PhaaS) named EvilProxy (also known as Moloch) was seen for sale in dark web forums, according to researchers.  Moloch ransomware is a computer virus infection that encrypts all personal victim files on an affected device and demands a ransom for unlocking them.  This file-locking parasite belongs to a relatively small Makop ransomware family compared to others, such as Djvu or Dharma.

EvilProxy actors are using reverse proxy and cookie injection methods to bypass 2FA [two-factor authentication] proxying the victim's session, according to a recent report.   Providing a connection in this context means giving a client component the ability to communicate with a forward proxy.[1]  To proxify an HTTP connection, the differences between forward and reverse proxies must be understood (understand the HTTP CONNECT verb and be aware of the proxy HOST header ( Stackoverflow ), RFC 7230 ).

The analysis warns that such methods have been seen in targeted campaigns of advanced persistent threats (APTs) and cyber-espionage groups.  These methods have been successfully productized in EvilProxy, highlighting the significance of growth in attacks against online services and MFA authorization mechanisms.  Based on the ongoing investigation of attacks against multiple employees from Fortune 500 companies, researchers said it obtained substantial knowledge about EvilProxy, including its structure, modules, functions, and network infrastructure.  According to the investigators, early occurrences of EvilProxy have been initially identified in connection to attacks against Google and MSFT customers who have MFA enabled on their accounts, either with SMS or Application Token.[2]

To establish a timeline of EvilProxy's operations, investigators said the malware was first spotted in early May 2022, when the threat actors (TAs) behind it released a demonstration video describing how it could be used to deliver advanced phishing links.  These could be used to compromise consumer accounts belonging to Apple, Facebook, Google, Instagram, Microsoft, and Twitter, among others.  EvilProxy also supports phishing attacks against Python Package Index (PyPi).

See:  https://redskyalliance.org/xindustry/what-s-a-pypi

Several PyPi software repository project contributors were subject to a phishing attack that tricked them into divulging their account login credentials last week.   That attack, linked to the JuiceStealer payload, was now connected to EvilProxy actors.  The security experts said the TA would have added this function shortly before the attack.  Besides PyPi, the functionality of EvilProxy also supports GitHub and npmjs...enabling supply chain attacks via advanced phishing campaigns.

The analysis also suggests it is highly likely these threat actors target software developers and IT engineers to gain access to their repositories with the end goal of hacking "downstream" targets.  These tactics allow cybercriminals to capitalize on the end users' insecurity who assume they're downloading software packages from secure resources and do not expect it to be compromised.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

 

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

[1] https://thehackernews.com/2022/09/new-evilproxy-phishing-service-allowing.html

[2] https://www.oodaloop.com/briefs/2022/09/06/evilproxy-phishing-toolkit-spotted-on-dark-web-forums/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!