The "Red Team" has a new "trick"? Don't be afraid, we will teach you how to make the phishing technique "fail"!

With the improvement of security protection technology and the enhancement of security equipment's ability to detect attack behaviors, traditional WEB attack methods are becoming increasingly difficult to effectively penetrate the defense line. Therefore, phishing attacks have gradually become the focus of attention in red team activities. Compared with traditional attack methods, phishing attacks have a higher success rate and can often achieve better attack results. This is because phishing attacks do not directly rely on technical vulnerabilities, but instead use psychological and behavioral tendencies to deceive the target. For example, phishing attacks can send fake emails disguised as legitimate entities to trick victims into providing sensitive information or clicking on malicious links. Attackers may also create fake websites that look like legitimate websites to lure people into entering sensitive data. In addition, attackers may also disguise their identities through telephone, social media, or instant messaging to induce victims to disclose confidential information or perform malicious operations. More targeted is "Spear Phishing", in which attackers tailor phishing content to the victim's situation to increase persuasiveness.

1. Target Group Information Collection

Before implementing a phishing attack, it is important to fully collect and integrate information in advance to ensure that it goes undetected. This includes collecting information on multiple aspects of the target company, such as recruitment information, bidding records, legal disputes, supply chain information, employee communication information, social media accounts, domain names, as well as the company's internal organizational structure and names of senior executives.

In a phishing attack, the ideal situation is to obtain the email login credentials of an employee or administrator of a company during the information collection stage. In addition, if you can obtain the permissions of a web server, finding the mailbox-related information from its configuration file is also a successful method. In addition, obtaining the permissions or login credentials of an office system, especially if the system has workflow or email communication functions, will provide the attacker with a legitimate identity, allowing the attack to be more covert.

As you proceed through these steps, make sure you take a stealthy approach so as not to attract attention. Information gathering is the basis of a successful phishing attack, so caution at this stage is critical.

Conventional collection channels are not limited to AiQiCha, git, threat intelligence, Yuque, etc.

Figure 1 Hunter mailbox collection platform diagram

Types of Phishing Attacks

The strategy of phishing attacks can be simplified into the following main methods:

Social phishing: This method is used during the information gathering phase, when it is found that the target has leaked contact information on the Internet, such as the company's presence on social platforms such as DingTalk, QQ, and WeChat. Attackers may use this information, such as the company's DingTalk or QQ group, employees' mobile phone numbers, or even social account friend relationships obtained through mobile phone numbers, to deceive. Phishing attacks on social platforms usually involve sending virus links or deceptive messages to download malware and steal user confidential information.

Email phishing: If the target's recruitment, legal disputes, bidding and other information is obtained during the information collection phase, the attacker can try to conduct an email phishing attack. This method is suitable for situations where the target publicly releases information on the Internet. Email phishing is one of the most common attack methods at present. Attackers can send forged emails, pretending to be banks, telecommunications companies, government agencies, etc., to obtain sensitive information or deliver malware.

Website fraud: This method uses email, social media and other channels to lure users into clicking on links in a friendly and attractive manner, leading the target to a place disguised as a legitimate site, and then obtain the user's account and password.

Passive phishing: This method involves spreading false information in public information, such as GitHub code repositories, Python libraries, or other public documents, to confuse the target user to download, install, or run. Passive phishing is suitable for large-scale attack and defense drills or APT attacks.

Phishing attacks can be further divided into the following types:

Spear phishing attacks: Spear phishing attacks are mainly targeted at specific individuals, and the attackers formulate specific attack strategies. Unlike casting a wide net, the probability of discovering large-scale phishing attacks is higher. In actual operations, red teams usually pay more attention to specific groups, such as operation and maintenance personnel. These personnel usually store system ledgers, and these ledgers often contain information about important business systems. Once successful, it will provide attackers with an important intranet breakthrough path.

Watering hole attack: A watering hole attack sets a trap on the path that the target must take and waits for the target to trigger it. Once the target triggers the trap, the attacker will implant malware on the target host. This method usually exploits business system vulnerabilities or permissions within the organization and places malicious code. Once a normal user accesses it, the malicious code will be triggered, thereby obtaining permissions for the target host.

Whale phishing attacks: Whale phishing attacks mainly target senior corporate executives. These people often do not receive cybersecurity awareness training like ordinary employees, so they have a lower awareness of phishing attacks and are more vulnerable to attacks. After successfully attacking senior executives, the information obtained by the attacker is more valuable and more harmful.

Figure 2 Schematic diagram of the phishing file process

3. Prepare the script, phishing website and bait

1. Talking skills

The success of phishing attacks depends largely on carefully constructed rhetoric, which plays a key role in the entire phishing process. Different phishing rhetoric targets different targets and produces different attack effects. Before planning a phishing attack, it is essential to have a deep understanding of the target. This includes obtaining the contact information of the target company's employees and understanding whether they are inside the company. Make an accurate judgment on the target's position and department, such as determining whether they hold an administrative position in the company, confirming whether the office equipment is connected to the company network, understanding the target's position in the company and whether the equipment has antivirus software installed, and the specific type of antivirus software.

2. Fish bait accessories are free from killing

In phishing attacks, one of the challenges to overcome is always how to fight against antivirus software. With personal antivirus software generally installed on computers and enterprises using sandboxes and enterprise-level EDR, it is difficult to effectively deploy or execute unprocessed Trojan programs. In order to bypass these protection measures, customized antivirus-free Trojans have emerged, designed to evade the target sandbox inspection and antivirus software detection. Ideally, when collecting information or communicating with the victim, it is possible to find out whether the target is equipped with antivirus software and the type of antivirus software used, so as to create corresponding antivirus-free Trojan samples. Although it is a simple method to induce the target to turn off the antivirus software, the reality is usually that it is difficult for the attacker to know the target's antivirus software status, and all operations are performed in a black box state. In order to ensure the success rate of phishing attacks, the only way is to create a powerful antivirus-free tool that can bypass more types of antivirus software.

If you want to create an anti-killing Trojan, you must have a deep understanding of how anti-killing software works. Generally, anti-killing software uses two methods: static analysis and dynamic analysis. During static analysis, anti-killing software will check the binary code of the file, scan for specific patterns and instruction sequences in it, in order to identify potential malicious behavior, including looking for known malicious signatures and computer viruses, and determining whether the file exhibits malicious characteristics. Static anti-killing means that attackers use tricks to make their malware invisible to anti-killing software under static analysis, including file format modification, using a packer or code obfuscator, hiding malicious code, etc. Dynamic analysis monitors program behavior at runtime, observing system calls, network traffic, file operations, and other activities. This helps anti-killing software identify malicious behavior that is covered up by code obfuscation, encryption, or other technologies. Dynamic anti-killing means that attackers use tricks to make their malware invisible to anti-killing software under dynamic analysis, including virtualization technology, process injection, code obfuscation, anti-debugging technology, anti-sandbox technology, dynamic generation of malicious code, etc., in order to evade the analysis function of anti-killing software. Common anti-killing methods include: anti-killing loader, separation anti-killing, packer anti-killing, and modification of feature anti-killing.

3. Fish bait accessories for camouflage

Disguise refers to disguising the appearance of phishing samples through various means so that they have appearance characteristics different from the actual content. For example, the appearance of an executable file can be disguised to be more similar to a PDF file, or by replacing the .ico icon of the Trojan executable file, it can present the appearance of an official executable file. During the information collection phase, collect the official website icons of the organization to which the victim belongs and apply them to the Trojan to reduce the target's vigilance. However, if no reaction occurs after running the file, this may arouse the other party's suspicion. In this case, it is necessary to modify the Trojan's icon and file information, bind the normal file to the Trojan, and release the pre-prepared normal file when the user runs it. The red team needs to master the technology of making phishing files to reduce the target's vigilance. The following are several common methods:

① File appearance camouflage: modify the header information or specific parts of the file to make it look more like other types of files, such as disguising an executable file as a document, image or audio file.

② Icon replacement: Replace the icon of the Trojan executable file with the icon of a common, harmless program so that it looks similar to a normal file in the file browser.

③Bundled files: Bundle the Trojan with one or more legitimate files so that normal files are released at the same time when the user runs the file to conceal the existence of the Trojan.

④ Dynamic loading: During runtime, the Trojan can dynamically download other malicious components, so that it will not be detected by static analysis.

⑤ Code obfuscation: Obfuscate the Trojan code to make it difficult for static analysis tools to interpret, thereby reducing the risk of detection.

⑥Virtualization technology: Use virtualization technology to package the Trojan code in a virtual environment to run it, making its behavior closer to that of a normal program to evade dynamic analysis detection.

⑦ Anti-sandbox technology: Detect whether it is running in a sandbox environment. If so, the Trojan may take different behaviors to avoid detection.

⑧Anti-debugging technology: The Trojan may monitor whether it is running in a debugging environment, and if so, take measures to prevent debugging operations.

These methods can be used in phishing attacks to create anti-killing Trojans in order to better deceive the target and bypass security measures.

Figure 3 Diagram of modifying attachment icon

Figure 4 Schematic diagram of self-extraction and suffix reversal technology

4. Phishing Websites

Phishing is a type of online fraud designed to trick users into providing sensitive personal information, such as usernames, passwords, credit card information, etc., usually by disguising themselves as legitimate and trustworthy websites. Attackers create seemingly authentic websites that look and function very similar to legitimate websites in order to trick users into entering their sensitive information on the website. Once the user provides this information, the attacker can use it to conduct illegal activities, such as identity theft, financial fraud, etc.

Phishing websites often use social engineering and disguise techniques to direct victims to these websites through channels such as email, social media, instant messaging, etc. For example, attackers may send legitimate-looking emails asking users to click a link to go to a website and then enter their login information on the website. These emails are often disguised as notifications from banks, electronic payment platforms, social media or other commonly used services to attract the victim's interest and trust.

To identify phishing websites, users need to be vigilant and pay attention to the following points:

① URL Check: Before clicking on a link, carefully check the URL of the link. An attacker may use a domain name that is similar to the real website, but there may be slight differences or typos.

② Security certificate: Make sure the website uses a legitimate security certificate. Most legitimate websites will display a lock icon in the browser to indicate that the connection is encrypted.

③ Be careful when clicking links: Do not click on links in unverified emails, text messages, or social media messages. It is best to enter the website URL manually rather than entering it by clicking on a link.

④ Do not provide sensitive information: Never enter sensitive information on uncertain websites, especially passwords, credit card information, etc.

⑤ Use security tools: Using security software and antivirus tools can help detect and block access to malicious websites.

In short, phishing websites are a type of online fraud that tricks users into revealing sensitive information by disguising themselves as legitimate websites. Users should remain vigilant and avoid providing personal information without verification to ensure online safety.

4. Place the Bait

After completing the above tasks, the Trojan will be delivered to the target system in a variety of ways, and then quietly wait for the target to take the bait. Whether the bait is successful now depends on whether the phishing tactics are confusing enough to make the target believe it.

Here are a few strategies to increase your chances of success:

Create an appropriate sense of urgency, such as fabricating an incident that could have serious consequences, or impersonating an irresistible identity, such as a senior leader within the organization, a third-party operator, or a job applicant.

Emphasize the urgency of time. Highlight the seriousness of the situation. When the victim is eager to solve the problem, it often brings unexpected results.

Provide certain incentives. For example, pretend to be a company manager and promise to get a bonus for completing a certain task, which will be paid together with next month's salary. This method can significantly increase the success rate.

Be flexible in timing. Phishing attacks should be varied. For example, if the company is conducting an attack and defense drill, it can take this opportunity to inform employees that they need to conduct a security check. Or when a statutory holiday is approaching, fake a common-sense holiday schedule to avoid arousing suspicion.

You can consider using multiple Trojans and C2 servers for remote control, which can increase the stability and concealment of the attack.

Figure 5: Example of a real phishing email

5. Conclusion - Phishing Attack Prevention

Phishing attacks often involve posing as legitimate entities to lure users into fake websites to submit sensitive information or click on malicious programs in order to achieve the purpose of the attack. There are many different methods of this type of attack, and it is necessary to combine specific scenarios, develop corresponding attack plans and lure techniques, and use sophisticated Trojan sample technology to ensure credibility, so as to lure the target into the trap. The key to preventing phishing attacks is to improve security awareness within users and organizations, conduct training, avoid clicking on suspicious links or attachments, and keep applications updated in a timely manner.

To combat phishing attacks, take the following measures:

1. Strengthen security training within the organization to improve employees' ability to identify and prevent phishing attacks. Avoid leaking social media accounts through unofficial channels, and provide security training for positions that require external communication, such as HR and legal department personnel.

2. Enforce the use of strong passwords and two-factor authentication to protect personal accounts. Prevent sensitive information from being leaked. Develop a password update strategy to prevent attackers from logging in due to expired passwords.

3. Update the operating system and applications in a timely manner. Install security patches to prevent attackers from exploiting known vulnerabilities.

4. Deploy a sandbox on the mail server. Use sandbox signature library scanning, threat intelligence matching, heuristic scanning, and behavior recognition to identify malicious files and phishing links. Keep the signature library of the intranet host and antivirus sandbox updated to prevent malicious files from being executed due to outdated signature libraries.

5. Verify the content of the email. Before opening external files, perform an antivirus scan. Be cautious with emails containing words such as "welfare" and "subsidy" and avoid blindly downloading and opening unknown attachments.

6. Pay attention to check the sender's email address and content to identify the authenticity of suspicious emails.

7. Be vigilant about new social accounts and verify the identity of the other party through familiar information.

8. Avoid opening executable files, Office files, and files with unfamiliar suffixes in attachments, and do not click on email links directly. It is best to directly access known website domains. If you encounter unknown links or suspicious websites, you should confirm and verify them before operating them. You can consult IT personnel or the sender.

Author: Zhou Yu

Unit: China Mobile Internet of Things Co., Ltd.