Introduction
This report provides a detailed breakdown of a sophisticated social engineering attack that began with a deceptive email targeted at our CEO. The initial lure, disguised as a legitimate email, piqued our interest and prompted an in-depth investigation into the attack flow and techniques used. This document is organized to guide you through each phase of the attack, from the initial email lure and landing page specifics to the technical de-obfuscation efforts, proof of malicious intent, and identification of key threat vectors.
Our analysis also covers various attack methods utilized by the adversaries, including the SSRF (Server-Side Request Forgery) decloak technique and the "Decloak Method," each carefully employed to exploit potential security gaps. Additionally, we outline the connections to external entities, such as IAB (Internet Advertising Bureau) references, and dive into technical aspects that illustrate how the attack chain was structured to achieve its malicious objectives.
Through this examination, we aim to provide a comprehensive view of the tactics, techniques, and procedures (TTPs) leveraged by the attackers, as well as actionable insights to enhance our defense against similar threats in the future.
Initial Lure to CEO
De-obfuscation of Lure
At first glance, the email appeared to be a standard interaction, but a closer inspection of the source code revealed malicious, obfuscated JavaScript designed to initiate multiple redirects. For the sake of brevity and to protect potential victims, certain details have been redacted. However, researchers who need further information, such as IP addresses or a PCAP trace to a TRaViS ASM-owned asset, may request this data for investigative or legal purposes.
Currently, the attack is being hosted behind Cloudflare, so we anticipate that this method may be abandoned shortly after the release of this blog. Should the perpetrators become aware, it’s likely they will attempt to dismantle their setup. We are publishing this on a Friday evening, mirroring the timing they often employ for their own activities.
Landing Page Email Specifications
If the recipient’s email address did not match a specific target, the link would redirect them to a generic Microsoft login page, giving the appearance of a standard login request.
However, we discovered that the phishing link was designed to detect our CEO’s exact email address. When his email was identified, the link activated a more tailored phishing page intended to further the attack.
This setup confirmed that the attack was carefully crafted to target the CEO specifically, with a unique lure that would only fully deploy if his email address was detected.
Attack Chain Breakdown
Attack Flow Breakdown
- Initial Redirect (TikTok Link)
- The attack starts with a URL that looks like a TikTok link:
https://www.tiktok.com/link/v2?aid=1988&lang=pl-PL&scene=bio_url&target=... - This URL contains a target= parameter that redirects to another URL in the chain. TikTok uses this format to track link clicks, so it initially seems safe.
Google URL Wrapper
- The target= parameter in the TikTok link is set to a https://www.google.ru/url?q= URL.
- Google often uses this kind of URL wrapper to track outbound links, which attackers exploit to make malicious links seem safer.
- The parameter q= in the Google link holds the encoded next URL in the chain, adding a layer of redirection.
- For example:
https://www.google.ru/url?q=exampleMaliciousLink&... - This approach hides the final malicious domain from the user and may reduce suspicion.
Embedded Malicious Domain
- Once users pass through the Google URL wrapper, they’re redirected to the next stop:
amp/s/example-malicious-site.com/dev/. - In this case, example-malicious-site.com could be a compromised site or an attacker-controlled domain hosting malicious content.
- This page typically presents a lure, like a login prompt, download button, or enticing content designed to capture user data.
Base64-Encoded Email (User-Specific Identifier)
- After the domain path, we see a Base64-encoded string in the URL’s fragment identifier, such as #YWRtaW5AZXhhbXBsZS5jb20=.
- This Base64 string translates to an email address, say admin@example.com. Base64 encoding hides the email in the URL, making it look like random characters instead of a specific address.
- Decoding the Base64 reveals the email, allowing the attacker to personalize the page to make the content look tailored to the recipient. This step aims to increase the likelihood of user engagement.
Encoding and Redirection Explained
- TikTok and Google URLs: Each URL acts as a layer of redirection, disguising the true destination. Because TikTok and Google links are widely recognized and trusted, this technique can effectively bypass user suspicion.
- Base64 Encoding: The email is encoded in Base64 to obscure it. Decoding the Base64 portion reveals the email, which could make the final malicious page appear more legitimate and personal. Attackers use Base64 encoding to avoid showing a visible email in the URL, making the link harder to detect as suspicious.
Full Redirection Sequence
- User clicks the TikTok link: The TikTok domain appears safe at first glance.
- Redirect to Google’s URL wrapper: The link flows through Google, another familiar domain, further masking the malicious intent.
- Landing on the final malicious site: The Google redirect points to example-malicious-site.com, which hosts the actual phishing or malicious content.
- Email personalization: The final page uses the decoded Base64 email to customize the content, making it appear relevant to the recipient. This increases the likelihood of the user engaging with the attack which oddly enough seemed to be a blackhat PPC network serving user specific ads or something..
Proof of Malicious Act
The Google dork query intext:At bagon.to you can Buy webshells, phpmailer, Combo list is used to search for instances of specific text embedded in various websites. This particular query shows how an attacker has inserted phrases like "At bagon.to you can Buy webshells, phpmailer, Combo list" into the content of unrelated or compromised sites. By doing so, they’re leveraging "black hat SEO" tactics to improve search visibility for these illicit services, effectively advertising them to other cybercriminals.
The results indicate a level of website defacement, where legitimate sites are covertly altered to include links or references to these malicious services. The sites listed in the search results likely have hidden or embedded content that’s not visible on the main pages but can be indexed by search engines. This manipulation makes it easier for others looking for illegal services to find these advertisements through simple Google searches, rather than relying on dark web marketplaces.
This approach also shows how criminals use standard search engines to promote their offerings by hiding within the content of legitimate websites, making it challenging to detect and shut down. The image provided offers a snapshot of the search results, highlighting the scope of this activity across various websites and the degree of infiltration achieved by these tactics.
IAB Bagon.is
Initial access broker
Initial access brokers are cyber threat actors who specialize in gaining unauthorized access to computer networks and systems and then selling that access to other threat actors such as ransomware. IABs are parts of ransomware as a service economy, also called "cybercrime as a service."
While working on this article, it seems that either someone noticed our monitoring, or the attackers themselves realized they were being observed and took down their infrastructure. Fortunately, we have already documented their IP addresses, so we can continue investigating despite this setback.
Decloak Method
POST /wegotdecloaked/ HTTP/2
Host: bagon.is
Cookie: PHPSESSID=nrg3ji1858bur1gbcj839vdh4k
Content-Length: 94
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: /
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://bagon.is
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://bagon.is/wegotdecloaked/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
host=WABATCPDUMPBOX&port=25&email=werenotbright@bagon.is&password=wereskids&to=administrator@localhost&number=20
To test our theory, we decided to turn one of the attackers’ own tools against them. Using Tcpdump on one of our research machines (thank you to Contabo for the excellent infrastructure), we began investigating potential vulnerabilities. When we observed the possibility of using this tool as an SSRF (Server-Side Request Forgery), we were able to probe for local open ports, which provided some interesting insights. However, as expected, the domains were cloaked behind Cloudflare, making it challenging to capture any direct information.
In response, we fed the attackers’ domains into TRaViS ASM, which helped us gather enough details to deduce the structure of the site. The setup appeared to be a combination of PHP and WordPress, covering both the blog and the credential store. Using a basic directory brute-force module, we were able to “decloak” parts of the environment, revealing key information about the attackers' infrastructure.
I'm pleased to have contributed to this work, which may have disrupted some of these malicious operations if our findings are correct.
SSRF Decloak
In the lower portion of the image, we see the Bagon.is storefront, which showcases an array of illicit services, such as cPanels, shells, SMTP services, mailers, RDPs, and various accounts and tools. The promotional design, claiming "100% Satisfaction Guaranteed" and "Best & Most Secure Underground Market," gives insight into how these malicious services are marketed to potential buyers. This reinforces the sophistication and scale of the infrastructure behind this operation, positioning itself as a trusted source within the underground marketplace.
As we proceeded with our SSRF tests, we used the technique to probe their environment and successfully revealed the SSH banner, among other details. While some of our connection attempts were blocked—likely due to internal security settings—these responses provided valuable insights. The error messages, combined with the revealed SSH banner, helped us better understand the network setup and verify the presence of specific defenses.
Using TRaViS ASM, we managed to gather additional details about the environment supporting these services, despite their attempts at cloaking. Our efforts to penetrate and analyze this infrastructure brought several critical elements of the operation into view, helping us reveal the scale and reach of these illicit services.
Conclusion
Through our efforts, we managed to reveal the IP address of the server hosting this operation. While we won’t share the IP directly, we’ll leave that as a challenge for the researchers out there. Rest assured, we’ve already reached out to the hosting provider, though our concerns were met with silence.
For those analyzing this further, it’s worth noting that the server may also store sensitive credentials and potentially cryptocurrency assets. We’ve documented insights and findings on similar cyber threats, outlining the techniques used to trace and expose these operations. Our ongoing analysis aims to shed light on these hidden networks and the vulnerabilities that can be leveraged to reveal their infrastructure.