Insight The developers of EvilProxy – a phishing kit dubbed the "LockBit of phishing" – have produced guides on using legitimate Cloudflare services to disguise malicious traffic. This adds to the ever-growing arsenal of tools offering criminals who lack actual technical expertise to get into the digital thievery biz.
EvilProxy is a reverse-proxy phishing kit sold on dark-web marketplaces, earning it the moniker "phishing-as-a-service" (PhaaS). The tool has helped crooks launch attacks since at least mid 2022, according to Resecurity – one of the first threat hunters to warn of the toolkit's existence.
Proofpoint sees about a million EvilProxy threats every month, according to the email security biz's director of threat research Daniel Blackford.
"The EvilProxy service makes it very easy to sign up for the service and set up phishing campaigns," Blackford told The Register.
Whoever runs EvilProxy offers a Telegram channel that publishes customer support info, YouTube videos on how to use the service, and other guides on how users can launch attacks and disguise their criminal activity.
"In recent months, Proofpoint has observed a significant increase in EvilProxy campaigns that use Cloudflare services to disguise their traffic, which prevents automated sandbox detection and ensures only targeted human users interact with the phishing links to receive the credential phishing landing pages," Blackford explained. "The use of Cloudflare filtering is one of the guides provided by EvilProxy."
Last northern summer, Proofpoint warned of an ongoing campaign that used EvilProxy to send about 120,000 scam emails to "hundreds" of organizations worldwide between March and June 2023. The messages targeted C-Suite executives – as stealing such officers' credentials has the potential to afford access to lucrative targets.
Anatomy of an attack
Here's how these attacks work:
They start with a phishing email that purports to be from a trusted service like Cloudflare, Adobe, or DocuSign. These messages include a link redirecting users through legitimate websites such as YouTube or SlickDeals. In this step, the attacker encodes the username within the URL.
Users are then sent to multiple other websites, which also helps cloak the traffic and makes it harder to detect malicious activity. These sites include attacker-controlled redirect sites – some of which may include legitimate hijacked websites packed with PHP code that allows the crooks to decode the user email.
Ultimately, the user is redirected to the actual phishing website that mimics the victim organization's Microsoft login page. It is deployed using the EvilProxy phishing framework, which can fetch content dynamically from the real login site, and it functions as a reverse proxy, sending the victim to the actual website. This allows the criminals to intercept server requests and responses, thus enabling attacker-in-the-middle scenarios.
The attacker can then steal session cookies and MFA tokens, which allow sign in to legitimate Microsoft accounts.
TA4903, TA577 join the phishing expeditions
"While most EvilProxy campaigns are not attributable to tracked threat actors, Proofpoint has seen at least two notable threat actors recently adopt the use of EvilProxy: TA4903 and TA577," Blackford wrote.
TA577 – which was a primary QBot malware distributor before the FBI-led disruption effort a year ago – used EvilProxy in phishing campaigns earlier this year, according to Blackford. He called this "notable" because this particular threat group usually conducts malware campaigns.
Similarly, TA4903 – better known for business email compromise (BEC) attacks – has used EvilProxy for credential phishing expeditions in pursuit of email inbox access, business email compromise (BEC), and follow-on phishing campaigns.
In fact, 73 percent of orgs experienced BEC attacks following a successful phish in 2023, according to a Proofpoint report. And 32 percent of these phishing emails resulted in follow-on ransomware infections.
Menlo Security last summer said it spotted an attack using EvilProxy that ran through July and August 2023, and targeted senior-level execs primarily across banking and financial services companies, insurance providers, manufactures and property management and real estate firms.
- Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank
- Beware of fake CrowdStrike domains pumping out Lumma infostealing malware
- DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed
- Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools
Since then, the criminals behind EvilProxy have improved the phishing service with better bot detection and new bot guard features. The evilware developers have also allowed users to add their own bots and Telegram chats or groups. Before launching a full-on phishing campaign, prospective crooks can also test their messages directly from the EvilProxy web interface.
"There has been a significant uptick in the usage of EvilProxy PhaaS in phishing campaigns currently as it has continued to be the most widely used PhaaS platform along with NakedPages, Greatness and Tycoon 2FA PhaaS solutions," Menlo Security threat researcher Ravisankar Ramprasad told The Register.
"We have noticed active campaigns as recent as the past seven days wherein the adversary has leveraged the popular site for accessing scientific research and journals 'www.scienceopen[.]com,' redirecting the victims to a fake phishing page. He added that new subdomains observed across campaigns are '0nline, 'l1ve,' '0ffice,' 'rfp,' and 'rfq,' apart from the older subdomains which are still seen, such as 'lmo.'
The rise in EvilProxy and similar phishing kits illustrates the need for network defenders to use phishing-resistant MFA such as FIDO-based physical security keys as well as cloud security tools that detect initial account compromise and post-compromise activities, according to Proofpoint and Menlo.
Additionally, user awareness and ongoing employee training are always important to protect against phishing and other threats. ®