HTML藏匿：网络钓鱼新方式

Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users' credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail.

网络安全研究人员警告称，利用Cloudflare Workers执行网络钓鱼攻击的钓鱼活动正在增加，这些攻击用于窃取与Microsoft、Gmail、Yahoo!和cPanel Webmail相关联的用户凭据。

The attack method, called transparent phishing or adversary-in-the-middle (AitM) phishing, "uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens," Netskope researcher Jan Michael Alcantara said in a report.

这种攻击方法被称为透明钓鱼或中间人（AitM）钓鱼，"使用Cloudflare Workers作为合法登录页面的反向代理服务器，拦截受害者与登录页面之间的流量，以捕获凭证、cookie和令牌，"Netskope研究员Jan Michael Alcantara在一份报告中说。

A majority of phishing campaigns hosted on Cloudflare Workers over the past 30 days have targeted victims in Asia, North America, and Southern Europe, spanning technology, financial services, and banking sectors.

在过去30天内，大多数托管在Cloudflare Workers上的网络钓鱼活动针对亚洲、北美和南欧的受害者，涵盖了技术、金融服务和银行业。

The cybersecurity firm said that an increase in traffic to Cloudflare Workers-hosted phishing pages was first registered in Q2 2023, noting it observed a spike in the total number of distinct domains, jumping from a little over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024.

该网络安全公司表示，2023年第二季度首次注册了对托管在Cloudflare Workers上的网络钓鱼页面的流量增加，指出它观察到不同域名总数的激增，从2023年第四季度的1000多个跳跃到2024年第一季度的近1300个。

The phishing campaigns make use of a technique called HTML smuggling, which involves using malicious JavaScript to assemble the malicious payload on the client side to evade security protections. It also serves to highlight the sophisticated strategies threat actors are using to deploy and execute attacks on targeted systems.

网络钓鱼活动利用一种称为HTML走私的技术，该技术涉及使用恶意JavaScript在客户端组装恶意载荷，以规避安全保护。它还突显了威胁行为者正在使用的复杂策略，以部署和执行对目标系统的攻击。

What's different in this case is that the malicious payload is a phishing page, which is reconstructed and displayed to the user on a web browser

在这种情况下的不同之处在于，恶意载荷是一个钓鱼页面，它被重建并在Web浏览器上显示给用户

The phishing page, for its part, urges the victim to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. Should they follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes.

钓鱼页面敦促受害者使用Microsoft Outlook或Office 365（现在是Microsoft 365）登录，以查看所谓的PDF文档。如果他们继续，托管在Cloudflare Workers上的虚假登录页面将用于窃取他们的凭据和多因素认证（MFA）代码。

"The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Michael Alcantara said. "Once the victim accesses the attacker's login page, the attacker collects its web request metadata."

"整个钓鱼页面是使用修改过的开源Cloudflare AitM工具包创建的，"Michael Alcantara说。"一旦受害者访问攻击者的登录页面，攻击者将收集其Web请求元数据。"

"Once the victim enters their credentials, they will be logged in to the legitimate website, and the attacker will collect the tokens and cookies in the response. Furthermore, the attacker will also have visibility into any additional activity the victim performs after login."

"一旦受害者输入其凭据，他们将被登录到合法网站，并且攻击者将在响应中收集令牌和cookie。此外，攻击者还将看到受害者登录后执行的任何其他活动。"

HTML smuggling as a payload delivery mechanism is being increasingly favored by threat actors who wish to bypass modern defenses, making it possible to serve fraudulent HTML pages and other malware without raising any red flags.

作为一种载荷传递机制，HTML走私正被威胁行为者越来越青睐，希望绕过现代防御，这使得可以提供欺诈性HTML页面和其他恶意软件而不引起任何警告。

In one instance highlighted by Huntress Labs, the fake HTML file is used to inject an iframe of the legitimate Microsoft authentication portal that's retrieved from an actor-controlled domain.

Huntress Labs指出的一个案例中，虚假的HTML文件用于注入从受控域检索的合法Microsoft身份验证门户的iframe。

"This has the hallmarks of an MFA-bypass adversary-in-the-middle transparent proxy phishing attack, but uses an HTML smuggling payload with an injected iframe instead of a simple link," security researcher Matt Kiely said.

"这具有MFA绕过中间人透明代理钓鱼攻击的特征，但使用了带有注入iframe的HTML走私载荷，而不是简单的链接，"安全研究员Matt Kiely说。

Another campaign that has attracted attention involves invoice-themed phishing emails containing HTML attachments that masquerade as PDF viewer login pages to steal users' email account credentials, before redirecting them to a URL hosting the so-called "proof of payment."

另一个引起关注的活动涉及以发票为主题的钓鱼电子邮件，其中包含伪装成PDF查看器登录页面的HTML附件，以窃取用户的电子邮件帐户凭据，然后将他们重定向到托管所谓“付款证明”的URL。

In recent years, email-based phishing attacks have taken various forms, including leveraging phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and circumvent MFA using the AitM technique, with attackers incorporating QR codes within PDF files and utilizing CAPTCHA checks before redirecting victims to the bogus login page.

近年来，基于电子邮件的网络钓鱼攻击采取了各种形式，包括利用网络钓鱼作为服务（PhaaS）工具包，如Greatness，来窃取Microsoft 365登录凭据并使用AitM技术绕过MFA，攻击者在PDF文件中嵌入QR码并在将受害者重定向到虚假登录页面之前利用CAPTCHA检查。

Financial services, manufacturing, energy/utilities, retail, and consulting entities located in the U.S., Canada, Germany, South Korea, and Norway have emerged as the top sectors targeted by the Greatness PhaaS.

位于美国、加拿大、德国、韩国和挪威的金融服务、制造业、能源/公用事业、零售和咨询实体成为Greatness PhaaS针对的首要行业。

"These services offer advanced capabilities that appeal to attackers by saving them time on development and evasion tactics," Trellix researchers Daksh Kapur, Vihar Shah, and Pooja Khyadgi said in an analysis published last week.

"这些服务提供了先进的功能，吸引了攻击者，节省了他们在开发和规避策略上的时间，"Trellix研究人员Daksh Kapur、Vihar Shah和Pooja Khyadgi在上周发表的一篇分析中说。

The development comes as threat actors are constantly finding new ways to outsmart security systems and propagate malware by resorting to generative artificial intelligence (GenAI) to craft effective phishing emails and delivering compressed file attachments containing overly large malware payloads (more than 100 MB in size) in hopes of evading analysis.

这一发展发生在威胁行为者不断寻找新方法来智能地欺骗安全系统和通过生成式人工智能（GenAI）来制作有效的网络钓鱼电子邮件，并通过传送包含过大恶意软件载荷（大小超过100MB）的压缩文件以希望逃避分析。

"Scanning larger files takes more time and resources, which can slow down the overall system performance during the scan process," the cybersecurity firm said. "To minimize heavy memory footprint, some antivirus engines may set size limits for scanning, leading to oversized files being skipped."

"扫描更大的文件需要更多的时间和资源，在扫描过程中可能会降低整体系统性能，"该网络安全公司表示。"为了最小化庞大的内存占用，一些防病毒引擎可能会设置扫描大小限制，导致跳过超大文件。"

The file inflation method has been observed as an attack ploy to deliver additional malware, such as Agent Tesla, AsyncRAT, Quasar RAT, and Remcos RAT, it added.

它补充说，文件膨胀方法已被观察为一种攻击策略，用于传送额外的恶意软件，例如Agent Tesla、AsyncRAT、Quasar RAT和Remcos RAT。

What's more, the adversarial use of GenAI for exploit development and deepfake generation by various threat actors underscores the need for robust security measures, ethical guidelines, and oversight mechanisms.

而威胁行为者对GenAI的对抗性使用以及各种威胁行为者生成利用GenAI进行利用开发和深度伪造生成的行为强调了对强大安全措施、道德准则和监督机制的需求。

The use of innovative approaches to bypass traditional detection mechanisms have also extended to campaigns like TrkCdn, SpamTracker, and SecShow that are leveraging Domain Name System (DNS) tunneling to monitor when their targets open phishing emails and click on malicious links, track spam delivery, as well as to scan victim networks for potential vulnerabilities.

绕过传统检测机制的创新方法还延伸到了像TrkCdn、SpamTracker和SecShow等活动，它们利用域名系统（DNS）隧道技术来监视目标何时打开网络钓鱼电子邮件并点击恶意链接，跟踪垃圾邮件传递，以及扫描受害者网络以寻找潜在漏洞。

"The DNS tunneling technique used in the TrkCdn campaign is meant to track a victim's interaction with its email content," Palo Alto Networks Unit 42 said in a report published earlier this month, adding the attackers embed content in the email that, when opened, performs a DNS query to attacker-controlled subdomains.

"TrkCdn活动中使用的DNS隧道技术旨在跟踪受害者与其电子邮件内容的互动，"Palo Alto Networks Unit 42在本月早些时候发布的一份报告中说，攻击者嵌入电子邮件中的内容，当打开时，执行DNS查询以攻击者控制的子域。

"[SpamTracker] employs emails and website links to deliver spam and phishing content. The intent of the campaign is to lure victims to click on the links behind which threat actors have concealed their payload in the subdomains."

"[SpamTracker]利用电子邮件和网站链接传送垃圾邮件和网络钓鱼内容。该活动的目的是吸引受害者点击隐藏在子域中的威胁行为者的载荷后面的链接。"

The findings also come amid a surge in malvertising campaigns that take advantage of malicious ads for popular software on search engine results to trick users into installing information stealers and remote access trojans such as SectopRAT (aka ArechClient).

这些发现也出现在利用恶意广告利用在搜索引擎结果中的流行软件的恶意广告来欺骗用户安装信息窃取者和远程访问特洛伊木马的激增的一波垃圾广告活动中。

On top of that, bad actors have been observed setting up counterfeit pages mimicking financial institutions like Barclays that deliver legitimate remote desktop software like AnyDesk under the guise of offering live chat support, granting them remote access to the systems in the process.

此外，恶意行为者还被发现设立伪造页面，模仿诸如巴克莱银行之类的金融机构，通过提供实时聊天支持的名义提供合法的远程桌面软件，从而授予他们对系统的远程访问权限。

"It is more important than ever to be extremely cautious when it comes to sponsored results," Malwarebytes' Jerome Segura said. "Oftentimes, there is no easy way to determine whether an ad is legitimate or not. Criminals are able to create malicious installers that can evade detection and lead to compromise via a series of steps."

"在赞助结果方面更加谨慎变得比以往任何时候都更为重要，"Malwarebytes的Jerome Segura说。"通常情况下，很难确定广告是否合法。犯罪分子能够创建可以逃避检测并通过一系列步骤导致威胁的恶意安装程序。"

参考资料

[1]https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html

原文始发于微信公众号（知机安全）：HTML藏匿：网络钓鱼新方式