The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform

Phish in a Barrel: Detecting Caffeine Activity

While an extensive, comprehensive analysis of every utility and component within the Caffeine platform is well beyond the scope of this blog post, several key components of its operation can be used to generate a solid set of high efficacy threat detections when used in concert with one another.

Detecting Caffeine on the Endpoint

This rule set is intended to serve as a starting point for hunting efforts to identify phishing infrastructure and activity; however, they may need adjustment over time as the threat evolves. To leverage these detections effectively, run the associated Yara rules against copies of deployed web site files.

Rule Filename MD5 Detection Notes
M_Hunting_PHP_Caffeine_Toolmarks_1 index.php ce9a17f9aec9bd2d9eca70f82e5e048b Though the Caffeine platform has many pages named “index.php” across its various components, this particular “index.php” is the central one that is served up by default when accessing a deployed kit. The strings within the matching detection are toolmarks from the output of Caffeine obfuscation tooling.
M_Hunting_PHP_Caffeine_Obfuscation_1 index.php ce9a17f9aec9bd2d9eca70f82e5e048b This detection casts a wider phishing net than the previous rule, looking for PHP files that have a “Caffeine-style” obfuscation mechanism but may not necessarily be Caffeine-specific. Mandiant has uncovered some evidence to suggest the obfuscation mechanism used by Caffeine may be in use by other PhaaS vendors as well.
M_Hunting_JSON_Caffeine_Config_1 config.json 684b524cef81a9ef802ed3422700ab69 This is the main configuration file used by deployed Caffeine phishing kits. The strings within the matching detection are configuration artifacts Caffeine leverages by default.
M_Hunting_JS_Caffeine_Redirect_1 file.htm 60cae932b80378110d74fe447fa518d6 This is a typical Caffeine redirect page. The strings within the matching detection are configuration artifacts Caffeine leverages by default.
M_Hunting_ICO_Caffeine_Favicon_1 favicon.ico 12e3dac858061d088023b2bd48e2fa96 This rule detects the version of the legitimate Microsoft logo favicon included within Caffeine’s kits by default. It may detect some legitimate versions of the favicon, too, but a Microsoft favicon found alongside rouge PHP, HTA, or Javascript files should be investigated closely for the presence of malicious activity.

Table 1: Caffeine platform sample information and corresponding YARA rules details

Detecting Caffeine on the Wire

The following domains are core components of Caffeine’s architecture for deployed phishing kits. To leverage these detections effectively, look for anomalous network traffic to a cluster of these domains within web logs or in network traffic within the timeframe of several minutes.

Domain/URL IP Address Resolution Contextual Notes
caffeinefiles[.]click 104.21.6[.]210 An active hosting location for Caffeine platform files. Currently behind Cloudflare.
caffeines[.]space 185.163.46[.]131 An inactive hosting location for Caffeine platform files.
caffeines[.]store 104.26.7[.]11 The main Caffeine store domain. Currently behind Cloudflare.
ip-api[.]io 192.99.71[.]107 This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value.
telegram[.]org 149.154.167[.]99 A legitimate encrypted messaging service used heavily by Caffeine.

Table 2: Domains leveraged by various components of Caffeine’s architecture

Conclusion

While the detections listed in this post can certainly assist in detecting the presence of malicious activity, it is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse. As quickly as threat actor infrastructure gets taken down, new infrastructure can be spun up. To that end, in addition to leveraging the detections provided in this post, there are a few ways organizations can reduce impact of phishing attacks and compromised domains on a strategic level. These include:

  • Periodically evaluating any public-facing web infrastructure and files against known-good versions of the content.
  • Utilizing behavioral analytics for web logs analysis to include initial URL structure, form submission and redirections.
  • Occasionally re-assessing security policies regarding passwords and credential resets.
  • Implementing two-factor authentication on, at a minimum, any user account used to access an enterprise environment from an external source.

Though these strategic elements may seem somewhat self-evident, they are far from being overstated in their importance. Traditional phishing techniques continue to be a reliable Initial Intrusion Vector (IIV) for cyberattacks, and, as demonstrated by the Caffeine PhaaS platform, the tools to conduct full-fledged enterprise-level phishing campaigns are cheap to acquire, simple to use, and readily available to adversaries.

Acknowledgments

The authors would like to thank Jeremy Kennelly for his threat expertise and investigative guidance, Evan Reese for his assistance in detection review, and The Managed Defense Security Operations Center for their continued vigilance.

Comprehensive Detection List

These YARA rules are not intended to be used for real time monitoring or to inform blocking rules without first being validated through an organization’s own internal testing processes to ensure appropriate performance and limit the risk of false positives.

YARA Rules

rule M_Hunting_JS_Caffeine_Redirect_1
{
meta:
author = "adrian.mccabe"
md5 = "60cae932b80378110d74fe447fa518d6"
date_created = "2022-09-22"
rev = "1"
context = “Searches for string artifacts on Caffeine Javascript redirect pages. Intentionally wide.”
strings:
$cf1 = "Don't Play Here Kid" ascii wide
$cf2 = "mrxc0der" ascii wide
condition:
all of them
}
rule M_Hunting_PHP_Caffeine_Toolmarks_1
{
meta:
author = "adrian.mccabe"
md5 = " ce9a17f9aec9bd2d9eca70f82e5e048b"
date_created = "2022-09-22"
rev = "1"
context = “Searches for generic Caffeine obfuscation toolmark strings. Intentionally wide.”
strings:
$attacker_brand = " - WWW.CAFFEINES.STORE" ascii wide
$obfuscation_tagline = "CODED By MRxC0DER" ascii wide
condition:
all of them
}
rule M_Hunting_PHP_Caffeine_Obfuscation_1
{
meta:
author = "adrian.mccabe"
md5 = "ce9a17f9aec9bd2d9eca70f82e5e048b"
date_created = "2022-09-22"
rev = "1"
context = “Searches for obfuscated PHP scripts.”
strings:
$f1 = {3C 3F 70 68 70 }
$a1 = "__FILE__));" ascii wide
$a2 = "=NULL;@eval" ascii wide
$a3 = "))));unset" ascii wide
condition:
uint16(0) == 0x3F3C and
all of them
}
rule M_Hunting_JSON_Caffeine_Config_1
{
meta:
author = "adrian.mccabe"
md5 = "684b524cef81a9ef802ed3422700ab69"
date_created = "2022-09-22"
rev = "1"
context = “Searches for default Caffeine configuration syntax. Intentionally wide.”
strings:
$cf1 = "token" ascii wide
$cf2 = "ip-api.io" ascii wide
$cf3 = "ff57341d-6fb8-4bdb-a6b9-a49f94cbf239" ascii wide
$cf4 = "send_to_telegram" ascii wide
$cf5 = "telegram_user_id" ascii wide
condition:
all of them
}
rule M_Hunting_ICO_Caffeine_Favicon_1
{
meta:
author = "adrian.mccabe"
md5 = "12e3dac858061d088023b2bd48e2fa96"
date_created = "2022-09-22"
rev = "1"
context = “Searches for legitimate Microsoft favicon used by Caffeine. VALIDATION REQUIRED.”
strings:
$a1 = { 01 00 06 00 80 }
$a2 = "fffffff" ascii wide
$a3 = "3333333" ascii wide
$a4 = "DDDDDDDDDDDUUUUUUUUUUUP" ascii wide
$a5 = "UUUPDDD@" ascii wide
condition:
uint16(1) == 0x0100 and
all of them
}

Domains/URLs

Domain/URL IP Address Resolution Contextual Notes
eduardorodiguez9584[.]ongraphy[.]com 134.209.156[.]27 Phishing campaign redirect site.
oculisticaspizzirri[.]it/fill/ 136.243.82[.]137 Misconfigured second-stage credential harvesting url.
caffeinefiles[.]click 104.21.6[.]210 An active hosting location for Caffeine platform files. Currently behind Cloudflare.
caffeines[.]space 185.163.46[.]131 An inactive hosting location for Caffeine platform files.
caffeines[.]store 104.26.7[.]11 The main Caffeine store platform URL. Currently behind Cloudflare.
ip-api[.]io 192.99.71[.]107 This is a seemingly legitimate service Caffeine uses for IP address geolocation. On its own it is not inherently malicious, but when activity for this domain appears alongside other Caffeine indicators, it provides immense contextual value.
telegram[.]org 149.154.167[.]99 A legitimate encrypted messaging service used heavily by Caffeine.

Table 3: Comprehensive domain list for Caffeine-associated activity in this blog post

Source: https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform