Monitoring of Gabagool Phishing Campaign Targeting Employees
/ 4 min read
Quick take - The TRAC Labs team is monitoring a sophisticated phishing campaign named Gabagool, which targets corporate and government employees by using Cloudflare R2 buckets to host malicious content and employing various techniques to evade detection and harvest sensitive information.
Fast Facts
- The Gabagool phishing campaign targets corporate and government employees, utilizing Cloudflare R2 buckets to host malicious content and evade detection.
- Attackers compromise user email accounts to send phishing emails containing disguised images or RTF documents with malicious links.
- The phishing landing page, hosted on Cloudflare, is designed to harvest sensitive information and employs various checks to differentiate between human users and bots.
- Stolen credentials are encrypted during transmission, and the server uses AES encryption for security, with mechanisms to manage user sessions and MFA options.
- TRAC Labs has issued detection recommendations and made indicators of compromise available on their GitHub page to help organizations defend against this threat.
Monitoring the Gabagool Phishing Campaign
The TRAC Labs team is currently monitoring a phishing campaign identified as Gabagool, which targets corporate and government employees. This campaign is noted for its sophistication and utilizes Cloudflare R2 buckets to host malicious content. By leveraging Cloudflare’s reputation, the campaign is able to bypass security measures and evade detection.
Attack Initiation and Methodology
The attack initiates when threat actors compromise a user’s email account. Once access is gained, phishing emails are sent to other employees within the organization. These emails often contain an image disguised as a document, which includes a malicious URL-shortened link. The shortened links typically use services such as tiny.cc and tiny.pl, employing a redirect chain to obscure the final destination.
In certain cases, the phishing emails may include an RTF document embedded with a QR code. When users interact with the image or document, they are redirected to file-sharing platforms like SharePoint, SugarSync, or Box. Subsequently, users are directed to a phishing landing page hosted in a Cloudflare R2 bucket, crafted to harvest sensitive information.
Technical Details of the Phishing Page
The URL structure of the landing page follows a specific format commonly used by various phishing kits. The source code of this landing page is equipped with parameters designed for credential harvesting. It also includes redirection to legitimate URLs to increase the campaign’s legitimacy.
To prevent automated access, the JavaScript code on the landing page implements several checks to detect bot activity. These checks include:
- Webdriver Check: Identifies headless browsers or automation frameworks.
- Mouse Movement Detection: Distinguishes between human users and bots.
- Cookie Test: Verifies the presence of a test cookie to identify bot configurations.
- Rapid Interaction Detection: Observes the frequency of actions to spot automated scripts.
If bot activity is detected, users are redirected to a legitimate domain. Conversely, if human interaction is confirmed, the webpage is manipulated to reveal the credential harvesting page, which utilizes the CryptoJS library for encryption and decryption operations.
Recommendations and Resources
The server that receives the stolen credentials employs AES encryption for security and uses unique identifiers and flags to track user visits and manage invalid results. The initial POST request sent to the server contains various parameters, including a redirect URL for valid credentials. In response, the server may provide a JSON Web Token (JWT) for session management purposes.
For users with multifactor authentication (MFA) enabled, the server response indicates available authentication methods, including PhoneAppNotification and PhoneAppOTP. The campaign is designed to differentiate between known bots and legitimate users, redirecting bots to alternate URLs while channeling regular users to the phishing pages.
To combat this evolving threat, the TRAC Labs team has issued detection recommendations, including monitoring unusual connections to Cloudflare R2 buckets and other known malicious servers. Indicators of compromise related to the Gabagool phishing campaign are publicly available on the TRAC Labs GitHub page, providing further assistance for organizations to protect themselves against this sophisticated phishing threat.
Original Source: Read the Full Article Here
