Phish in a Barrel: Detecting Caffeine Activity
While an extensive, comprehensive analysis of every utility and component within the Caffeine platform is well beyond the scope of this blog post, several key components of its operation can be used to generate a solid set of high efficacy threat detections when used in concert with one another.
Detecting Caffeine on the Endpoint
This rule set is intended to serve as a starting point for hunting efforts to identify phishing infrastructure and activity; however, they may need adjustment over time as the threat evolves. To leverage these detections effectively, run the associated Yara rules against copies of deployed web site files.
| Rule | Filename | MD5 | Detection Notes |
| M_Hunting_PHP_Caffeine_Toolmarks_1 | index.php | ce9a17f9aec9bd2d9eca70f82e5e048b | Though the Caffeine platform has many pages named “index.php” across its various components, this particular “index.php” is the central one that is served up by default when accessing a deployed kit. The strings within the matching detection are toolmarks from the output of Caffeine obfuscation tooling. |
| M_Hunting_PHP_Caffeine_Obfuscation_1 | index.php | ce9a17f9aec9bd2d9eca70f82e5e048b | This detection casts a wider phishing net than the previous rule, looking for PHP files that have a “Caffeine-style” obfuscation mechanism but may not necessarily be Caffeine-specific. Mandiant has uncovered some evidence to suggest the obfuscation mechanism used by Caffeine may be in use by other PhaaS vendors as well. |
| M_Hunting_JSON_Caffeine_Config_1 | config.json | 684b524cef81a9ef802ed3422700ab69 | This is the main configuration file used by deployed Caffeine phishing kits. The strings within the matching detection are configuration artifacts Caffeine leverages by default. |
| M_Hunting_JS_Caffeine_Redirect_1 | file.htm | 60cae932b80378110d74fe447fa518d6 | This is a typical Caffeine redirect page. The strings within the matching detection are configuration artifacts Caffeine leverages by default. |
| M_Hunting_ICO_Caffeine_Favicon_1 | favicon.ico | 12e3dac858061d088023b2bd48e2fa96 | This rule detects the version of the legitimate Microsoft logo favicon included within Caffeine’s kits by default. It may detect some legitimate versions of the favicon, too, but a Microsoft favicon found alongside rouge PHP, HTA, or Javascript files should be investigated closely for the presence of malicious activity. |
Table 1: Caffeine platform sample information and corresponding YARA rules details
Detecting Caffeine on the Wire
The following domains are core components of Caffeine’s architecture for deployed phishing kits. To leverage these detections effectively, look for anomalous network traffic to a cluster of these domains within web logs or in network traffic within the timeframe of several minutes.
| Domain/URL | IP Address Resolution | Contextual Notes |
| caffeinefiles[.]click | 104.21.6[.]210 | An active hosting location for Caffeine platform files. Currently behind Cloudflare. |
| caffeines[.]space | 185.163.46[.]131 | An inactive hosting location for Caffeine platform files. |
| caffeines[.]store | 104.26.7[.]11 | The main Caffeine store domain. Currently behind Cloudflare. |
| ip-api[.]io | 192.99.71[.]107 | This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value. |
| telegram[.]org | 149.154.167[.]99 | A legitimate encrypted messaging service used heavily by Caffeine. |
Table 2: Domains leveraged by various components of Caffeine’s architecture
Conclusion
While the detections listed in this post can certainly assist in detecting the presence of malicious activity, it is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse. As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up. To that end, in addition to leveraging the detections provided in this post, there are a few ways organizations can reduce impact of phishing attacks and compromised domains on a strategic level. These include:
- Periodically evaluating any public-facing web infrastructure and files against known-good versions of the content.
- Utilizing behavioral analytics for web logs analysis to include initial URL structure, form submission and redirections.
- Occasionally re-assessing security policies regarding passwords and credential resets.
- Implementing two-factor authentication on, at a minimum, any user account used to access an enterprise environment from an external source.
Though these strategic elements may seem somewhat self-evident, they are far from being overstated in their importance. Traditional phishing techniques continue to be a reliable Initial Intrusion Vector (IIV) for cyberattacks, and, as demonstrated by the Caffeine PhaaS platform, the tools to conduct full-fledged enterprise-level phishing campaigns are cheap to acquire, simple to use, and readily available to adversaries.
Acknowledgments
The authors would like to thank Jeremy Kennelly for his threat expertise and investigative guidance, Evan Reese for his assistance in detection review, and The Managed Defense Security Operations Center for their continued vigilance.
Comprehensive Detection List
These YARA rules are not intended to be used for real time monitoring or to inform blocking rules without first being validated through an organization’s own internal testing processes to ensure appropriate performance and limit the risk of false positives.
YARA Rules
rule M_Hunting_JS_Caffeine_Redirect_1
{
meta:
author = "adrian.mccabe"
md5 = "60cae932b80378110d74fe447fa518d6"
date_created = "2022-09-22"
rev = "1"
context = “Searches for string artifacts on Caffeine Javascript redirect pages. Intentionally wide.”
strings:
$cf1 = "Don't Play Here Kid" ascii wide
$cf2 = "mrxc0der" ascii wide
condition:
all of them
}rule M_Hunting_PHP_Caffeine_Toolmarks_1
{
meta:
author = "adrian.mccabe"
md5 = " ce9a17f9aec9bd2d9eca70f82e5e048b"
date_created = "2022-09-22"
rev = "1"
context = “Searches for generic Caffeine obfuscation toolmark strings. Intentionally wide.”
strings:
$attacker_brand = " - WWW.CAFFEINES.STORE" ascii wide
$obfuscation_tagline = "CODED By MRxC0DER" ascii wide
condition:
all of them
}rule M_Hunting_PHP_Caffeine_Obfuscation_1
{
meta:
author = "adrian.mccabe"
md5 = "ce9a17f9aec9bd2d9eca70f82e5e048b"
date_created = "2022-09-22"
rev = "1"
context = “Searches for obfuscated PHP scripts.”
strings:
$f1 = {3C 3F 70 68 70 }
$a1 = "__FILE__));" ascii wide
$a2 = "=NULL;@eval" ascii wide
$a3 = "))));unset" ascii wide
condition:
uint16(0) == 0x3F3C and
all of them
}rule M_Hunting_JSON_Caffeine_Config_1
{
meta:
author = "adrian.mccabe"
md5 = "684b524cef81a9ef802ed3422700ab69"
date_created = "2022-09-22"
rev = "1"
context = “Searches for default Caffeine configuration syntax. Intentionally wide.”
strings:
$cf1 = "token" ascii wide
$cf2 = "ip-api.io" ascii wide
$cf3 = "ff57341d-6fb8-4bdb-a6b9-a49f94cbf239" ascii wide
$cf4 = "send_to_telegram" ascii wide
$cf5 = "telegram_user_id" ascii wide
condition:
all of them
}rule M_Hunting_ICO_Caffeine_Favicon_1
{
meta:
author = "adrian.mccabe"
md5 = "12e3dac858061d088023b2bd48e2fa96"
date_created = "2022-09-22"
rev = "1"
context = “Searches for legitimate Microsoft favicon used by Caffeine. VALIDATION REQUIRED.”
strings:
$a1 = { 01 00 06 00 80 }
$a2 = "fffffff" ascii wide
$a3 = "3333333" ascii wide
$a4 = "DDDDDDDDDDDUUUUUUUUUUUP" ascii wide
$a5 = "UUUPDDD@" ascii wide
condition:
uint16(1) == 0x0100 and
all of them
}Domains/URLs
| Domain/URL | IP Address Resolution | Contextual Notes |
| eduardorodiguez9584[.]ongraphy[.]com | 134.209.156[.]27 | Phishing campaign redirect site. |
| oculisticaspizzirri[.]it/fill/ | 136.243.82[.]137 | Misconfigured second-stage credential harvesting url. |
| caffeinefiles[.]click | 104.21.6[.]210 | An active hosting location for Caffeine platform files. Currently behind Cloudflare. |
| caffeines[.]space | 185.163.46[.]131 | An inactive hosting location for Caffeine platform files. |
| caffeines[.]store | 104.26.7[.]11 | The main Caffeine store platform URL. Currently behind Cloudflare. |
| ip-api[.]io | 192.99.71[.]107 | This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value. |
| telegram[.]org | 149.154.167[.]99 | A legitimate encrypted messaging service used heavily by Caffeine. |
Table 3: Comprehensive domain list for Caffeine-associated activity in this blog post
Source: https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform